OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-ga…
disclosure@vulncheck.com