CVE-2026-41298 Overview
OpenClaw before version 2026.4.2 contains an authorization bypass vulnerability in the session termination endpoint. The application fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint when operating in identity-bearing HTTP modes. This allows read-scoped callers to terminate running subagent sessions by sending requests to this endpoint, bypassing authorization controls that should require write permissions.
Critical Impact
Attackers with read-only access can terminate active subagent sessions, potentially causing service disruption and unauthorized denial of service to legitimate users.
Affected Products
- OpenClaw versions prior to 2026.4.2
Discovery Timeline
- 2026-04-21 - CVE-2026-41298 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-41298
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), which occurs when software does not perform an authorization check when an actor attempts to access a resource or perform an action. In OpenClaw's gateway implementation, the session kill HTTP endpoint improperly handles scope verification for incoming requests. When operating in identity-bearing HTTP modes, the endpoint accepts requests from callers possessing only read-level scopes, even though terminating sessions is fundamentally a write operation that modifies system state.
The lack of proper scope enforcement creates a privilege escalation pathway where low-privilege API consumers can execute administrative actions. This represents a significant access control failure in the gateway's authorization layer.
Root Cause
The root cause lies in the src/gateway/session-kill-http.ts file, where the original implementation used authorizeGatewayBearerRequestOrReply for authentication but did not properly validate that the requesting party had write-level scopes required for session termination operations. The authorization logic failed to distinguish between read and write operations at the endpoint level.
Attack Vector
An attacker with legitimate read-only access to the OpenClaw system can exploit this vulnerability by sending a POST request to the /sessions/:sessionKey/kill endpoint. Since the endpoint does not verify write scopes, the request is processed successfully despite the caller lacking appropriate permissions. This network-accessible attack requires low privileges (read-only access) and no user interaction.
The attack flow involves:
- Obtaining a valid read-scoped authentication token
- Identifying an active session key (potentially through enumeration or information disclosure)
- Sending a POST request to terminate the target session
- The session is terminated without proper authorization checks
import { loadConfig } from "../config/config.js";
import type { AuthRateLimiter } from "./auth-rate-limit.js";
import { isLocalDirectRequest, type ResolvedGatewayAuth } from "./auth.js";
-import { authorizeGatewayBearerRequestOrReply } from "./http-auth-helpers.js";
import { sendJson, sendMethodNotAllowed } from "./http-common.js";
+import {
+ authorizeGatewayHttpRequestOrReply,
+ resolveTrustedHttpOperatorScopes,
+} from "./http-utils.js";
+import { authorizeOperatorScopesForMethod } from "./method-scopes.js";
import { loadSessionEntry } from "./session-utils.js";
const REQUESTER_SESSION_KEY_HEADER = "x-openclaw-requester-session-key";
Source: GitHub Commit
The patch introduces proper scope authorization by replacing authorizeGatewayBearerRequestOrReply with authorizeGatewayHttpRequestOrReply and adding authorizeOperatorScopesForMethod to validate that the caller has the required write scopes for session termination operations.
Detection Methods for CVE-2026-41298
Indicators of Compromise
- Unexpected session terminations affecting legitimate users without corresponding write-scoped authentication events
- POST requests to /sessions/:sessionKey/kill from API clients that should only have read-level access
- Authentication logs showing read-scoped tokens being used for session management operations
- Elevated rate of session kill requests from unusual sources or service accounts
Detection Strategies
- Implement logging to capture the scope level of all requests to session management endpoints
- Create alerts for session termination requests where the authenticated user lacks write permissions
- Monitor for patterns of session kills that don't correlate with expected administrative activity
- Review API gateway logs for discrepancies between granted scopes and accessed endpoints
Monitoring Recommendations
- Enable detailed audit logging for all session management operations in OpenClaw
- Configure alerting thresholds for unusual session termination patterns
- Implement scope validation monitoring at the API gateway layer
- Correlate authentication events with session management actions to identify privilege misuse
How to Mitigate CVE-2026-41298
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.2 or later immediately
- Audit logs for any suspicious session termination activity from read-scoped API consumers
- Review and revoke any read-only tokens that may have been used to exploit this vulnerability
- Implement additional network-level controls to restrict access to session management endpoints
Patch Information
The vulnerability is resolved in OpenClaw version 2026.4.2. The fix modifies the session kill HTTP handler to properly enforce write scopes by utilizing authorizeGatewayHttpRequestOrReply and authorizeOperatorScopesForMethod functions, ensuring that only callers with appropriate write-level permissions can terminate sessions.
For detailed patch information, see the GitHub Security Advisory and the commit fix.
Workarounds
- Restrict network access to the /sessions/:sessionKey/kill endpoint using firewall rules or reverse proxy configurations
- Implement an API gateway policy that enforces write scope validation before requests reach OpenClaw
- Temporarily disable identity-bearing HTTP modes if write-scope enforcement cannot be guaranteed
- Deploy a Web Application Firewall (WAF) rule to block unauthorized POST requests to session management endpoints
# Example: Restrict session kill endpoint access via nginx reverse proxy
location ~ ^/sessions/.*/kill$ {
# Only allow requests from trusted admin IPs
allow 10.0.0.0/8;
deny all;
proxy_pass http://openclaw-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
