OpenClaw Improper Access Control Vulnerability in Session Termination Endpoint
Vulnerability
A vulnerability allowing improper access control has been identified in OpenClaw versions prior to 2026.3.25. The issue resides in the HTTP route '/sessions/:sessionKey/kill', where any bearer-authenticated user can invoke admin-level session termination functions without adequate scope validation. This vulnerability allows attackers to send authenticated requests to terminate arbitrary subagent sessions by using the 'killSubagentRunAdmin' function, thereby bypassing ownership and operator scope restrictions.
Impact
Exploitation of this vulnerability allows unauthorized users to terminate sessions at an admin level, potentially disrupting service or application functionality.
Reproduction
To reproduce this vulnerability, send an authenticated request to the '/sessions/:sessionKey/kill' endpoint using a bearer token. The request will be processed as an admin-level session termination, without the necessary scope validation or ownership verification.
Remediation
Users can update to OpenClaw version 2026.3.25 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.