CVE-2026-35660

CVSS v3.1

8.1

High

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-35660

Affected Products

Openclaw

CVE-2026-35660

Weakness Enumeration

Related Identifiers

Affected Products

References · 5