OpenClaw Insufficient Access Control Vulnerability in Gateway Agent Session Reset
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.3.23, where the Gateway agent's '/reset' endpoint lacks proper access controls. This flaw allows users with 'operator.write' permissions to reset admin sessions by sending '/reset' or '/new' messages with a specified session key. The issue arises because the '/reset' and '/new' messages bypass the required 'operator.admin' privileges, enabling the unauthorized reset of sessions.
Impact
Exploitation of this vulnerability allows 'operator.write' scoped users to reset sessions that require 'operator.admin' privileges, potentially disrupting administrative workflows or session management.
Reproduction
To reproduce this vulnerability, a user must have 'operator.write' privileges. Once this is established, the user can send a message to the Gateway agent's '/reset' or '/new' endpoint, including an explicit session key for a session that needs to be reset. The request will be processed without the necessary 'operator.admin' authorization, allowing the session reset to occur.
Remediation
Users can update to OpenClaw version 2026.3.23 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.