GHSA-5hff-46vh-rxmw
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
Details
## Summary
Before OpenClaw 2026.4.2, `POST /sessions/:sessionKey/kill` did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session.
## Impact
A read-scoped caller could perform a write-class control-plane mutation and interrupt delegated work. This was an authorization bug on the HTTP scope boundary, not a shared-secret compatibility exception.
## Affected Packages / Versions
- Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1`
## Fix Commit(s)
- `54a0878517167c6e49900498cf77420dadb74beb` — enforce session-kill HTTP scopes
## Release Process Note
The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.
Thanks @EaEa0001 for reporting.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-41298 [ADVISORY]
- https://github.com/openclaw/openclaw/commit/54a0878517167c6e49900498cf77420dadb74beb [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-session-termination-endpoint [WEB]