CVE-2026-35657

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25

Description The HTTP /sessions/:sessionKey/history route did not properly validate operator read permissions, allowing attackers to access session history without authorization. The issue occurred because the route authenticated bearer tokens but skipped the operator.read scope check used by the chat.history WebSocket endpoint. A commit (1c45123231516fa50f8cf8522ba5ff2fb2ca7aea) was introduced to require HTTP callers to declare operator scopes and reject history reads lacking operator.read permissions.

Recommendations Update to version 2026.3.25 or later.