GHSA-wq58-2pvg-5h4f

Suggest an improvement
Source
https://github.com/advisories/GHSA-wq58-2pvg-5h4f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wq58-2pvg-5h4f/GHSA-wq58-2pvg-5h4f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wq58-2pvg-5h4f
Aliases
  • CVE-2026-35660
Downstream
Published
2026-03-26T19:00:45Z
Modified
2026-04-10T17:27:04Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers
Details

Summary

Before v2026.3.23, the Gateway agent RPC accepted /reset and /new for callers with only operator.write, even though the direct sessions.reset RPC correctly requires operator.admin.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.23
  • Fixed: >= 2026.3.23
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Root Cause

The vulnerable path lived in src/gateway/server-methods/agent.ts. A /reset or /new message with an explicit sessionKey reached performGatewaySessionReset(...) without enforcing the same operator.admin guard used by sessions.reset.

Fix Commit(s)

  • 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0fix(gateway): require admin for agent session reset

Release Status

The fix commit is contained in released tags v2026.3.23 and v2026.3.23-2. The latest shipped tag and npm release both include the fix.

Code-Level Confirmation

  • src/gateway/server-methods/agent.ts now rejects /reset and /new for callers that do not have operator.admin before calling performGatewaySessionReset(...).
  • src/gateway/server-methods/agent.test.ts contains the regression test rejects /reset for write-scoped gateway callers.

Thanks @smaeljaish771 for reporting.

Database specific 
{
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T19:00:45Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.23

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wq58-2pvg-5h4f/GHSA-wq58-2pvg-5h4f.json"