CVE-2026-35660 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 10, 2026
OpenClaw - Broken Access Control
Published: April 10, 2026Updated: April 10, 2026Remote Exploitable
Overview
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint, letting attackers with operator.write permission reset arbitrary admin sessions, exploit requires operator.write privileges.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Attackers with operator.write privileges can reset arbitrary admin sessions, potentially leading to unauthorized session control.
Mitigation
Update to version 2026.3.23 or later.
References
- https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f
- https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset
- https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0
Related Resources
Details
- CVE ID
- CVE-2026-35660
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- new
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H