CVE-2026-32919

MEDIUM

OpenClaw < 2026.3.11 - Unauthorized Session Reset via agent Slash Commands

Title source: cna

Description

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requests containing /new or /reset slash commands to reset targeted conversation state without holding operator.admin privileges.

References (2)

Scores

CVSS v3 6.1
EPSS 0.0001
EPSS Percentile 2.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Details

CWE
CWE-863
Status published
Products (3)
OpenClaw/OpenClaw < 2026.3.11
openclaw/openclaw < 2026.3.11
OpenClaw/OpenClaw 2026.3.11
Published Mar 29, 2026
Tracked Since Mar 29, 2026