CVE-2026-35660

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.23

Description OpenClaw contains an insufficient access control issue in the Gateway agent. The /reset endpoint allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions. The vulnerable code resides in src/gateway/server-methods/agent.ts within the performGatewaySessionReset() function.

Recommendations Update to version 2026.3.23 or later.