GHSA-WQ58-2PVG-5H4F: Improper Authorization and Privilege Escalation in OpenClaw Gateway Agent RPC

The OpenClaw gateway exposes an Agent RPC handler responsible for processing client messages. This component manages active sessions and routes command strings originating from connected users. A structural flaw in this handler allows users with baseline permissions to execute administrative functions.

The vulnerability is tracked as GHSA-WQ58-2PVG-5H4F and classified under CWE-863 (Incorrect Authorization). It fundamentally stems from an inconsistency in how different remote procedure calls evaluate user permissions. The application enforces strict access controls on dedicated management endpoints but neglects these checks on in-band command parsers.

By leveraging this oversight, authenticated users with the standard operator.write scope can trigger session state resets for arbitrary users. This allows lower-privileged accounts to interfere with administrative workflows and disrupt system availability.

The OpenClaw gateway maintains two distinct code paths for resetting user sessions. The primary path utilizes the sessions.reset RPC endpoint, which correctly enforces the operator.admin scope. The secondary path handles in-band user commands through the agent RPC endpoint.

The agent RPC handler processes raw text messages using the RESET_COMMAND_RE regular expression. When the handler detects commands like /reset or /new, it extracts the requestedSessionKey variable from the request context. The system then directly invokes the runSessionResetFromAgent routine.

This secondary path lacks the authorization guardrails present in the primary RPC endpoint. The agent handler inherently trusts that the caller is authorized to operate on the provided requestedSessionKey. Consequently, any user capable of interacting with the agent RPC can trigger the underlying administrative function.

The vulnerability resides in the message processing logic within src/gateway/server-methods/agent.ts. The original implementation executed runSessionResetFromAgent immediately upon matching the regex pattern, completely ignoring the token's authorized scope.

The fix, implemented in commit 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0, introduces an explicit authorization barrier. The developers added the resolveCanResetSessionFromClient function to evaluate caller privileges before processing the command.

// src/gateway/server-methods/agent.ts
+ function resolveCanResetSessionFromClient(client: GatewayRequestHandlerOptions["client"]): boolean {
+   return resolveSenderIsOwnerFromClient(client);
+ }

The handler logic now evaluates the canResetSession boolean. If the user is neither the session owner nor an administrator, the gateway aborts the operation and returns an INVALID_REQUEST error.

// Within agentHandlers:
+   const canResetSession = resolveCanResetSessionFromClient(client);
    // ...
    const resetCommandMatch = message.match(RESET_COMMAND_RE);
    if (resetCommandMatch && requestedSessionKey) {
+     if (!canResetSession) {
+       respond(
+         false,
+         undefined,
+         errorShape(ErrorCodes.INVALID_REQUEST, `missing scope: ${ADMIN_SCOPE}`),
+       );
+       return;
+     }

An attacker initiates exploitation by authenticating to the OpenClaw gateway. The session token must possess at least operator.write permissions, representing a standard user scope. No administrative access is required to begin the attack.

The attacker constructs a crafted payload targeted at the agent RPC endpoint. The payload consists of a text message containing the /reset command alongside a target sessionKey. A typical target key follows the format agent:main:main.

Upon receiving this message, the gateway parses the command and matches the regular expression. The system bypasses normal administrative checks and triggers the session reset routine against the specified key. The attacker receives a successful response while the target session drops.

Exploitation results in the unauthorized reset of active sessions within the OpenClaw environment. An attacker can specifically target administrative sessions or disrupt general user workflows. This produces a targeted denial-of-service condition against critical gateway users.

The state disruption forces users to re-authenticate and re-establish their operational context. Active administrative tasks are immediately terminated when the session drops. This causes data loss for in-progress operations that require persistent state.

Continuous exploitation effectively prevents administrators from maintaining access to the management interface. An attacker running an automated script to continuously submit /reset commands can permanently lock administrators out of active session management.

Administrators must update the OpenClaw deployment to the latest version containing commit 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0. This patch comprehensively addresses the missing authorization check by aligning the agent RPC permissions with the dedicated sessions.reset endpoint.

Security teams should implement log monitoring to detect past or ongoing exploitation attempts. Audit the gateway access logs for agent RPC requests containing /reset or /new strings that originate from accounts lacking the operator.admin scope.

Dynamic Application Security Testing (DAST) tools and vulnerability scanners should be updated to verify this condition. Scanners can test the agent RPC by attempting to send /reset commands with a lower-privileged token and asserting that the application responds with the explicit missing scope: operator.admin error message.