AI Threat Alert AI Threat Alert

GHSA-5hff-46vh-rxmw: OpenClaw: read-only scope bypass kills agent sessions

GHSA-5hff-46vh-rxmw MEDIUM
Published April 7, 2026
CISO Take

OpenClaw's HTTP session management API failed to enforce write-scope authorization on the session-kill endpoint, allowing any caller with read-only operator credentials to terminate running subagent sessions — a write-class control-plane operation. For teams running OpenClaw as an AI agent orchestration backbone, this means any compromised or insider read-only credential becomes a disruption vector against live agent workflows and delegated workloads. The 37 documented CVEs in this package signal persistent authorization debt that warrants architectural review before expanding production use. Upgrade to openclaw >= 2026.4.2 immediately when the npm release is live; in the interim, block POST /sessions/:sessionKey/kill at your API gateway to write-scoped principals only and audit read-only operator assignments.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall, elevated in multi-tenant or enterprise AI agent deployments. Exploitation requires valid (read-only) credentials, limiting unauthenticated attack surface. However, in environments where read access is broadly provisioned — common in ops and monitoring teams — the blast radius scales directly with the number of active subagent sessions. The pattern of 37 prior CVEs in openclaw suggests systemic authorization weaknesses warranting heightened scrutiny rather than treating this as an isolated incident.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.4.1 2026.4.2

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Upgrade to openclaw >= 2026.4.2 as soon as the npm package is published — confirm release before deploying.
  2. Until patched: restrict access to POST /sessions/:sessionKey/kill at WAF or API gateway layer, requiring write-scope tokens only.
  3. Audit all read-only operator scope assignments and identify principals with API access to the session management plane.
  4. Review logs for anomalous POST /sessions/*/kill calls from read-scoped service accounts.
  5. Rotate credentials for any read-only operators with broad API access as a precaution.

Classification

Auth Bypass DoS Agent AML.T0012 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.6.2 - AI system roles and responsibilities
NIST AI RMF
GOVERN 1.2 - Accountability structures for AI systems
OWASP LLM Top 10
LLM06 - Excessive Agency

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, `POST /sessions/:sessionKey/kill` did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session. ## Impact A read-scoped caller could perform a write-class control-plane mutation and interrupt delegated work. This was an authorization bug on the HTTP scope boundary, not a shared-secret compatibility exception. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `54a0878517167c6e49900498cf77420dadb74beb` — enforce session-kill HTTP scopes ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @EaEa0001 for reporting.

Exploitation Scenario

An adversary — insider threat, compromised monitoring service account, or attacker who phished a read-only API token — enumerates active session keys via read-accessible listing endpoints then iterates POST /sessions/:sessionKey/kill requests against running subagent sessions. In a production pipeline, this could abort a long-running compliance scan, interrupt an automated security review, or selectively kill sessions processing sensitive data to force retries under attacker-influenced conditions — all without triggering write-scope authorization alerts.

Weaknesses (CWE)

CWE-269 Improper Privilege Management Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed