CVE-2026-35660

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0	Patch
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

13 Apr 2026, 20:32

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0 -~~	() https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0 - Patch
References	~~() https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 -~~	() https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset -~~	() https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset - Third Party Advisory
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw

10 Apr 2026, 17:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-10 17:17

Updated : 2026-04-13 20:32

NVD link : CVE-2026-35660

Mitre link : CVE-2026-35660

CVE.ORG link : CVE-2026-35660

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-862

Missing Authorization

8.1 /10