Primary

Context

OpenClaw Privilege Escalation Vulnerability in Chat Command Allowing Unauthorized Session Resets

Vulnerability

A privilege escalation vulnerability has been identified in OpenClaw versions prior to 2026.3.28. The issue resides in the chat.send command, where write-scoped gateway callers can improperly access admin-only session reset operations. This vulnerability allows attackers to rotate sessions, archive previous transcript states, and generate new session IDs without administrative privileges, by exploiting inadequate authorization checks in the chat.send pathway.

Impact

Exploitation of this vulnerability enables write-scoped gateway callers to reset sessions arbitrarily, bypassing admin restrictions. This includes rotating the session, saving the previous chat transcript, and forcing the creation of a new session ID.

Remediation

Users can upgrade to OpenClaw version 2026.3.28 or later to address this vulnerability.

Added: Apr 28, 2026, 12:21 AM

Updated: Apr 28, 2026, 12:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Privilege Escalation Vulnerability in Chat Command Allowing Unauthorized Session Resets

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating