GHSA-M5JP-P3R5-MFQP Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h4jx-hjr3-fhgc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback...

CVE-2026-35645

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privilege...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from the gateway plugin’s sub-agent’s deleteSession function using a synthesized operator.admin runtime scop...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the deleteSession process. An attacker can gain unauthorized access to privileged operations by exploiting the fallback mechanism that assigns a synthetic...

EUVD-2006-0780

Malware in sbrugna...

CVE-2006-0774

SQL injection vulnerability in deleteSession in DBeSession library 1.0.2 and earlier, as used in multiple products, allows remote attackers to execute arbitrary SQL commands via the $sessidset variable, which is usually derived from PHPSESSID...

Sql injection

SQL injection vulnerability in deleteSession in DBeSession library 1.0.2 and earlier, as used in multiple products, allows remote attackers to execute arbitrary SQL commands via the $sessidset variable, which is usually derived from PHPSESSID...

CVE-2006-0774

SQL injection vulnerability in deleteSession in DBeSession library 1.0.2 and earlier, as used in multiple products, allows remote attackers to execute arbitrary SQL commands via the $sessidset variable, which is usually derived from PHPSESSID...

CVE-2006-0774

SQL injection vulnerability in deleteSession in DBeSession library 1.0.2 and earlier, as used in multiple products, allows remote attackers to execute arbitrary SQL commands via the $sessidset variable, which is usually derived from PHPSESSID...

DBeSession102.txt

GulfTech Security Research February 11, 2006 Vendor : Lawrence Osiris URL : http://www.phpclasses.org/browse/package/1624.html Version : DBeSession 1.0.2 Risk : SQL Injection Description: DBeSession is a feature-packed PHP class that stores the session data in a MySQL database rather than files. ...