Mar 26, 2026·4 min read·18 visits
A missing authorization check in the OpenClaw agent RPC handler allows standard users to reset administrative sessions by sending specifically crafted in-band messages like '/reset'.
The OpenClaw gateway contains an improper authorization vulnerability in the Agent RPC handler. Users with basic operator.write permissions can bypass scope restrictions to execute administrative session resets via in-band text commands, leading to targeted service disruption and state manipulation.
The OpenClaw gateway exposes an Agent RPC handler responsible for processing client messages. This component manages active sessions and routes command strings originating from connected users. A structural flaw in this handler allows users with baseline permissions to execute administrative functions.
The vulnerability is tracked as GHSA-WQ58-2PVG-5H4F and classified under CWE-863 (Incorrect Authorization). It fundamentally stems from an inconsistency in how different remote procedure calls evaluate user permissions. The application enforces strict access controls on dedicated management endpoints but neglects these checks on in-band command parsers.
By leveraging this oversight, authenticated users with the standard operator.write scope can trigger session state resets for arbitrary users. This allows lower-privileged accounts to interfere with administrative workflows and disrupt system availability.
The OpenClaw gateway maintains two distinct code paths for resetting user sessions. The primary path utilizes the sessions.reset RPC endpoint, which correctly enforces the operator.admin scope. The secondary path handles in-band user commands through the agent RPC endpoint.
The agent RPC handler processes raw text messages using the RESET_COMMAND_RE regular expression. When the handler detects commands like /reset or /new, it extracts the requestedSessionKey variable from the request context. The system then directly invokes the runSessionResetFromAgent routine.
This secondary path lacks the authorization guardrails present in the primary RPC endpoint. The agent handler inherently trusts that the caller is authorized to operate on the provided requestedSessionKey. Consequently, any user capable of interacting with the agent RPC can trigger the underlying administrative function.
The vulnerability resides in the message processing logic within src/gateway/server-methods/agent.ts. The original implementation executed runSessionResetFromAgent immediately upon matching the regex pattern, completely ignoring the token's authorized scope.
The fix, implemented in commit 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0, introduces an explicit authorization barrier. The developers added the resolveCanResetSessionFromClient function to evaluate caller privileges before processing the command.
// src/gateway/server-methods/agent.ts
+ function resolveCanResetSessionFromClient(client: GatewayRequestHandlerOptions["client"]): boolean {
+ return resolveSenderIsOwnerFromClient(client);
+ }The handler logic now evaluates the canResetSession boolean. If the user is neither the session owner nor an administrator, the gateway aborts the operation and returns an INVALID_REQUEST error.
// Within agentHandlers:
+ const canResetSession = resolveCanResetSessionFromClient(client);
// ...
const resetCommandMatch = message.match(RESET_COMMAND_RE);
if (resetCommandMatch && requestedSessionKey) {
+ if (!canResetSession) {
+ respond(
+ false,
+ undefined,
+ errorShape(ErrorCodes.INVALID_REQUEST, `missing scope: ${ADMIN_SCOPE}`),
+ );
+ return;
+ }An attacker initiates exploitation by authenticating to the OpenClaw gateway. The session token must possess at least operator.write permissions, representing a standard user scope. No administrative access is required to begin the attack.
The attacker constructs a crafted payload targeted at the agent RPC endpoint. The payload consists of a text message containing the /reset command alongside a target sessionKey. A typical target key follows the format agent:main:main.
Upon receiving this message, the gateway parses the command and matches the regular expression. The system bypasses normal administrative checks and triggers the session reset routine against the specified key. The attacker receives a successful response while the target session drops.
Exploitation results in the unauthorized reset of active sessions within the OpenClaw environment. An attacker can specifically target administrative sessions or disrupt general user workflows. This produces a targeted denial-of-service condition against critical gateway users.
The state disruption forces users to re-authenticate and re-establish their operational context. Active administrative tasks are immediately terminated when the session drops. This causes data loss for in-progress operations that require persistent state.
Continuous exploitation effectively prevents administrators from maintaining access to the management interface. An attacker running an automated script to continuously submit /reset commands can permanently lock administrators out of active session management.
Administrators must update the OpenClaw deployment to the latest version containing commit 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0. This patch comprehensively addresses the missing authorization check by aligning the agent RPC permissions with the dedicated sessions.reset endpoint.
Security teams should implement log monitoring to detect past or ongoing exploitation attempts. Audit the gateway access logs for agent RPC requests containing /reset or /new strings that originate from accounts lacking the operator.admin scope.
Dynamic Application Security Testing (DAST) tools and vulnerability scanners should be updated to verify this condition. Scanners can test the agent RPC by attempting to send /reset commands with a lower-privileged token and asserting that the application responds with the explicit missing scope: operator.admin error message.
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenClaw OpenClaw | All versions prior to the March 23, 2026 patch | Commit 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Improper Authorization |
| CWE ID | CWE-863 |
| Attack Vector | Network / RPC API |
| Authentication | Required (operator.write) |
| Impact | Targeted Denial of Service / State Disruption |
| Exploit Status | Proof of Concept Available |
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
An in-depth security audit of the skillctl command-line package manager revealed five critical and high-severity security vulnerabilities. The identified flaws span parameter-level command argument injection via the source_sha parameter, uncontrolled resource consumption (Denial of Service) through unnamed UNIX FIFOs and character devices, directory path traversal in the destination argument, commit-message trailer forgery via newline injection in skill names, and local credential exfiltration leveraging UNIX hardlinks. These vulnerabilities represent significant vectors for workstation compromise when executing agentic tasks in repositories containing untrusted files or pull requests. Remediation was introduced in version v0.1.3.
CVE-2026-48153 is a Server-Side Request Forgery (SSRF) vulnerability in the Budibase OAuth2 SDK prior to version 3.39.0. It allows authenticated low-privileged users to bypass outbound network security blacklists and send arbitrary requests to internal subnets or cloud metadata services.
The self-hosted Slack Nebula VPN control plane, nebula-mesh, stored high-privilege enrollment tokens in plaintext inside its SQLite database. This flaw allowed any adversary with read access to the database to retrieve pending tokens and enroll unauthorized hosts into the secure VPN mesh.
The devbridge-autocomplete package (jQuery-Autocomplete) fails to escape category headers and suggestion values when using default formatters formatGroup and formatResult. If suggestions contain untrusted input, arbitrary HTML and JavaScript execute directly in the victim's browser session.
OpenCTI versions prior to 6.1.9 fail to properly restrict GraphQL schema introspection queries due to a weak pattern-matching implementation. An unauthenticated attacker can bypass the introspection block list by stripping whitespace and carriage returns, enabling complete reconnaissance of the GraphQL schema.
An unrestricted file upload vulnerability in Paymenter's support ticket system (prior to version 1.2.11) allows authenticated users to upload arbitrary PHP scripts to a web-accessible directory. The application fails to validate file extensions or MIME types before storing the files, enabling remote code execution under the web server's privilege context.