top of page
perceptive_background_267k.jpg

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session rese…

Published:

27 April 2026 at 22:00:00

Alert date:

28 April 2026 at 17:01:24

Source:

nvd.nist.gov

Click to open the original link from this advisory

Identity & Access, Enterprise Applications

OpenClaw before version 2026.3.28 contains a privilege escalation vulnerability in the chat.send function. The flaw allows write-scoped gateway callers to trigger admin-only session reset operations without proper authorization. Attackers can exploit improper authorization checks to rotate target sessions, archive transcript state, and force new session IDs. This vulnerability bypasses admin scope requirements and affects session management functionality. The issue has been identified and tracked under CVE-2026-41371.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41371
https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-reset-command

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page