{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35660/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35660"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35660","openclaw","access-control","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a yet-to-be-defined application, suffers from an insufficient access control vulnerability (CVE-2026-35660) affecting versions prior to 2026.3.23. The vulnerability exists within the Gateway agent\u0026rsquo;s \u003ccode\u003e/reset\u003c/code\u003e endpoint.  An attacker possessing \u003ccode\u003eoperator.write\u003c/code\u003e permissions can exploit this flaw to reset administrative sessions, circumventing the intended \u003ccode\u003eoperator.admin\u003c/code\u003e requirement.  Specifically, the vulnerability allows attackers to invoke \u003ccode\u003e/reset\u003c/code\u003e or \u003ccode\u003e/new\u003c/code\u003e messages including an explicit \u003ccode\u003esessionKey\u003c/code\u003e to manipulate arbitrary sessions. This could lead to unauthorized access and modification of sensitive system configurations, depending on the scope of the OpenClaw application. The vulnerability was disclosed on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized \u003ccode\u003eoperator.write\u003c/code\u003e privileges within the OpenClaw application, potentially through account compromise or privilege escalation from another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Gateway agent\u0026rsquo;s \u003ccode\u003e/reset\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specific \u003ccode\u003esessionKey\u003c/code\u003e belonging to an administrative user.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could send a \u003ccode\u003e/new\u003c/code\u003e message containing the admin\u0026rsquo;s \u003ccode\u003esessionKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient access control, the Gateway agent processes the request, incorrectly resetting the targeted admin session.\u003c/li\u003e\n\u003cli\u003eThe administrative user is forcibly logged out of their session, disrupting their work.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially hijack the reset session depending on implementation details.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use their elevated access to perform unauthorized actions, such as modifying critical system configurations or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35660 allows attackers with \u003ccode\u003eoperator.write\u003c/code\u003e privileges to reset arbitrary admin sessions in OpenClaw. This can lead to denial of service for legitimate administrators, and potentially allow the attacker to hijack the reset session or perform unauthorized actions, leading to data breaches or system compromise, depending on the application\u0026rsquo;s functionalities and the scope of admin privileges. The severity is rated as high with a CVSS score of 8.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.23 or later to patch CVE-2026-35660.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies for the OpenClaw application, ensuring that \u003ccode\u003eoperator.write\u003c/code\u003e privileges are only granted to trusted users.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/reset\u003c/code\u003e endpoint, especially those containing explicit \u003ccode\u003esessionKey\u003c/code\u003e parameters and correlate with user roles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenClaw Session Reset Attempt\u0026rdquo; to detect exploitation attempts (see below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:50:21Z","date_published":"2026-04-10T17:50:21Z","id":"/briefs/2026-04-openclaw-reset-vuln/","summary":"OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions by invoking /reset or /new messages with an explicit sessionKey, bypassing operator.admin requirements.","title":"OpenClaw Insufficient Access Control in Gateway Agent Session Reset (CVE-2026-35660)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-reset-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-35660","version":"https://jsonfeed.org/version/1.1"}