OpenClaw versions prior to 2026.3.28 contain a privilege escalation vulnerability in the chat.send function. The vulnerability allows write-scoped gateway callers to perform admin-only session reset operations without proper authorization. Attackers can exploit improper authorization checks to rotate target sessions, archive transcript state, and force new session IDs. This bypasses the required admin scope permissions and represents a significant security flaw in the application's access control mechanism.