CVE-2026-35660: OpenClaw auth bypass

CISO Take

OpenClaw's Gateway agent /reset endpoint lacks proper authorization enforcement, allowing any principal with operator.write privileges to reset administrator sessions by passing an arbitrary sessionKey — completely bypassing the operator.admin requirement. With CVSS 8.1, a network-accessible attack vector, low complexity, and no user interaction required, an attacker who compromises any operator-level account gains a direct path to full platform admin access. While not currently in CISA KEV and without confirmed public exploits, the trivially low exploitation barrier and OpenClaw's history of 395 CVEs in the same package make this a credible near-term threat. Upgrade to OpenClaw ≥ 2026.3.23 immediately using patch commits 630f1479 and 50f6a2f1; until patched, restrict operator.write grants to verified principals and alert on /reset or /new endpoint calls containing an explicit sessionKey parameter.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

High risk for organizations running OpenClaw in production AI agent environments. The exploitation path is low-friction: an adversary with any operator.write account — obtained through phishing, credential stuffing, or an exposed service token — can reset admin sessions without additional preconditions or specialized techniques. Admin control over an AI agent platform typically translates to control over tool permissions, agent configurations, and privileged data flows. The 395 prior CVEs in this package signal a codebase with persistent security debt, increasing the likelihood of compounding exploitation chains.

How does the attack unfold?

Initial Access

Attacker obtains valid operator.write credentials via phishing, credential stuffing, or discovery of a leaked service account token in a public repository.

AML.T0012

Exploitation

Attacker sends a crafted request to the Gateway agent /reset or /new endpoint with an explicit admin sessionKey, triggering the missing authorization check and bypassing the operator.admin requirement.

AML.T0049

Privilege Escalation

Admin session is reset or displaced, granting attacker full administrative control over the OpenClaw platform without possessing legitimate admin credentials.

AML.T0091.000

Impact

Attacker reconfigures agent tool permissions, deploys malicious skills, or exfiltrates sensitive data visible to privileged agents within the platform.

AML.T0081

Initial Access

Attacker obtains valid operator.write credentials via phishing, credential stuffing, or discovery of a leaked service account token in a public repository.

AML.T0012

Exploitation

Attacker sends a crafted request to the Gateway agent /reset or /new endpoint with an explicit admin sessionKey, triggering the missing authorization check and bypassing the operator.admin requirement.

AML.T0049

Privilege Escalation

Admin session is reset or displaced, granting attacker full administrative control over the OpenClaw platform without possessing legitimate admin credentials.

AML.T0091.000

Impact

Attacker reconfigures agent tool permissions, deploys malicious skills, or exfiltrates sensitive data visible to privileged agents within the platform.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A High

What should I do?

1 step

1) Upgrade to OpenClaw ≥ 2026.3.23 immediately — patch commits 630f1479c44f78484dfa21bb407cbe6f171dac87 and 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0 address the missing authorization check on /reset and /new. 2) Audit all principals holding operator.write permission and revoke unnecessary grants per least-privilege principle. 3) Restrict Gateway agent endpoint access to internal networks or VPN — eliminate public exposure of /reset and /new endpoints. 4) Implement alerting on requests to /reset and /new that include an explicit sessionKey parameter differing from the authenticated caller's own session. 5) Rotate all admin session tokens as a precautionary measure pending patch deployment.

How is it classified?

Auth Bypass Data Extraction Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.4 - System and application access control

NIST AI RMF

GOVERN 1.2 - Accountability for AI risk

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35660?

OpenClaw's Gateway agent /reset endpoint lacks proper authorization enforcement, allowing any principal with operator.write privileges to reset administrator sessions by passing an arbitrary sessionKey — completely bypassing the operator.admin requirement. With CVSS 8.1, a network-accessible attack vector, low complexity, and no user interaction required, an attacker who compromises any operator-level account gains a direct path to full platform admin access. While not currently in CISA KEV and without confirmed public exploits, the trivially low exploitation barrier and OpenClaw's history of 395 CVEs in the same package make this a credible near-term threat. Upgrade to OpenClaw ≥ 2026.3.23 immediately using patch commits 630f1479 and 50f6a2f1; until patched, restrict operator.write grants to verified principals and alert on /reset or /new endpoint calls containing an explicit sessionKey parameter.

Is CVE-2026-35660 actively exploited?

No confirmed active exploitation of CVE-2026-35660 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35660?

1) Upgrade to OpenClaw ≥ 2026.3.23 immediately — patch commits 630f1479c44f78484dfa21bb407cbe6f171dac87 and 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0 address the missing authorization check on /reset and /new. 2) Audit all principals holding operator.write permission and revoke unnecessary grants per least-privilege principle. 3) Restrict Gateway agent endpoint access to internal networks or VPN — eliminate public exposure of /reset and /new endpoints. 4) Implement alerting on requests to /reset and /new that include an explicit sessionKey parameter differing from the authenticated caller's own session. 5) Rotate all admin session tokens as a precautionary measure pending patch deployment.

What systems are affected by CVE-2026-35660?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent platforms, multi-user AI deployments, enterprise AI automation pipelines.

What is the CVSS score for CVE-2026-35660?

CVE-2026-35660 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent platformsmulti-user AI deploymentsenterprise AI automation pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.4

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.

Exploitation Scenario

An attacker obtains operator.write credentials by phishing a developer or discovering a leaked service account token in a public code repository. They identify an active admin session — potentially via platform APIs that expose session metadata to operator-level users — and send a crafted POST to the Gateway agent /reset endpoint with the target admin's sessionKey. Because the operator.admin authorization check is absent on this endpoint, the call succeeds, invalidating the admin session. The attacker exploits the resulting access gap to reconfigure agent tool permissions and install a malicious skill, mirroring the credential-exfiltration pattern documented in AIID incident #1368.

Weaknesses (CWE)

CWE-862 Missing Authorization

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.