VDB
EN
HIGH

GHSA-5r8f-96gm-5j6g

OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`

상세

## Summary

The `chat.send` path reused command authorization to trigger `/reset` session rotation even though direct session reset is an admin-only control-plane operation.

## Impact

A write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id without admin scope.

## Affected Component

`src/gateway/server-methods/chat.ts, src/auto-reply/reply/session.ts`

## Fixed Versions

- Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix.

## Fix

Fixed by commit `be00fcfccb` (`Gateway: align chat.send reset scope checks`).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / openclaw
최초 영향 버전: 0 수정 버전: 2026.3.28
수정 npm install openclaw@2026.3.28

참고