GHSA-5r8f-96gm-5j6g: OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`

April 1, 2026

The chat.send path reused command authorization to trigger /reset session rotation even though direct session reset is an admin-only control-plane operation.

References

github.com/advisories/GHSA-5r8f-96gm-5j6g
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/be00fcfccba108f88dc3d4380146c6e058770b03
github.com/openclaw/openclaw/releases/tag/v2026.3.28
github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g

Code Behaviors & Features

Detect and mitigate GHSA-5r8f-96gm-5j6g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →