GHSA-9P93-7J67-5PC2: Missing Authorization in OpenClaw Gateway Session Termination

The OpenClaw gateway exposes a REST API endpoint at POST /sessions/:sessionKey/kill designed to terminate active subagent runs or user sessions. This endpoint processes requests from clients and routes them to the internal control plane for execution. The gateway acts as the primary enforcement point for ensuring that only authorized users can manage session lifecycles.

The vulnerability, classified as Missing Authorization (CWE-862) and Improper Authorization (CWE-285), resides in the HTTP request handler responsible for this termination logic. The core issue involves a fundamental flaw in the scope binding mechanism applied to incoming bearer tokens. The system fails to evaluate the actual permissions associated with the provided token before granting access to privileged internal functions.

Exploitation of this vulnerability yields a targeted denial-of-service condition against the gateway. Any standard user possessing a valid bearer token can bypass ownership validation checks and terminate sessions belonging to other users or system administrators. The GitHub Security Advisory classifies this issue with a High severity rating due to the ease of exploitation and the direct impact on system availability.

This flaw undermines the isolation guarantees expected in multi-tenant or distributed gateway architectures. An attacker requires only a low-privileged account to disrupt critical administrative operations or terminate operational data flows managed by the OpenClaw environment.

The vulnerability stems from the internal request routing within the OpenClaw gateway's session handler. When a termination request arrives, the application must construct an authorization context and verify the caller's permissions before invoking the sensitive killSubagentRunAdmin function. This function executes a global session kill without further validation of the requester's identity.

The implementation flaw exists in the canBearerTokenKillSessions function within src/gateway/session-kill-http.ts. This function incorrectly trusts any mathematically valid and authenticated bearer token, completely ignoring the specific roles or scopes assigned to the user within the identity provider. The logic statically injects ADMIN_SCOPE and WRITE_SCOPE into the request authorization context as long as the token successfully passes basic signature verification.

This hardcoded scope assignment completely bypasses the intended role-based access control (RBAC) model. The downstream authorization middleware evaluates the newly assigned administrative scopes rather than the cryptographic claims originally embedded in the bearer token. Consequently, the middleware falsely concludes that the requester possesses the necessary authorization to perform destructive operations on any session.

The resulting state transition enables a privilege escalation path specific to the session termination functionality. The request passes the authorizeOperatorScopesForMethod checks, allowing a standard user token to traverse the killSubagentRunAdmin path. The system blindly executes the termination command against the user-supplied :sessionKey parameter.

The vulnerable implementation in src/gateway/session-kill-http.ts demonstrates the flawed authorization logic. The application hardcoded the administrative scope assignment, trusting the mere presence of a token without verifying explicit permissions.

function canBearerTokenKillSessions(token: string | undefined, authOk: boolean): boolean {
  if (!token || !authOk) {
    return false;
  }
  // Vulnerable logic: All valid tokens receive ADMIN_SCOPE
  const bearerScopes = [ADMIN_SCOPE, WRITE_SCOPE];
  return (
    authorizeOperatorScopesForMethod("sessions.delete", bearerScopes).allowed ||
    authorizeOperatorScopesForMethod("sessions.abort", bearerScopes).allowed
  );
}

The patch introduced in commit 02cf12371f9353a16455da01cc02e6c4ecfc4152 removes this function entirely. The maintainers eliminated the static scope assignment, acknowledging that the bearer token fallback bypassed the established access control mechanisms.

// Removed bearer token fallback completely
- const allowBearerOperatorKill = canBearerTokenKillSessions(token, true);
 
// Enforced strict local admin or explicit requester ownership
- if (!requesterSessionKey && !allowLocalAdminKill && !allowBearerOperatorKill) {
+ if (!requesterSessionKey && !allowLocalAdminKill) {

The updated authorization enforcement mechanism strictly requires either a validated requesterSessionKey matching the target session or a verified isLocalDirectRequest flag. The gateway now extracts the x-openclaw-requester-session-key header provided by the client and cryptographically validates it against the target session's controller. This design ensures that only the verifiable session owner or a local gateway administrator operating from a trusted context can terminate an active session.

Exploitation requires the attacker to possess a valid, minimally privileged bearer token for the target OpenClaw instance and network access to the gateway API. No advanced privileges or administrative roles are necessary. The attacker must also identify or predict the :sessionKey identifier of the target session they intend to terminate.

The reconnaissance phase involves discovering valid session keys belonging to other users or system processes. These identifiers might be exposed via other insufficiently protected API endpoints, predictable generation algorithms, or intercepted through localized network traffic analysis. Once a target session key is obtained, the attacker can proceed to the execution phase.

The attacker constructs a standard HTTP POST request directed at the /sessions/<target-session-key>/kill endpoint. The attacker injects their standard user bearer token into the Authorization header of the request.

POST /sessions/target-session-key/kill HTTP/1.1
Host: api.openclaw-gateway.internal
Authorization: Bearer <low-privileged-attacker-token>

The gateway processes the request, invokes the vulnerable canBearerTokenKillSessions function, and incorrectly applies the administrative scope. The gateway immediately terminates the target session and returns an HTTP 200 OK status to the attacker. The targeted user experiences an abrupt disconnection and a denial-of-service condition.

The primary impact of this vulnerability is a severe degradation of system availability. By repeatedly terminating active sessions, an attacker can disrupt legitimate administrative workflows, drop active subagent connections, and render the OpenClaw gateway functionally unstable for authorized users. The ability to sever arbitrary sessions constitutes a highly effective, targeted denial-of-service attack.

The attack requires only a low privilege level, specifically a standard user account capable of obtaining a valid bearer token. The vector is strictly over the network, allowing remote exploitation against any exposed OpenClaw gateway interface. The exploit complexity remains low, requiring only a single, easily constructed HTTP POST request.

This vulnerability does not compromise system confidentiality or integrity. The authorization bypass is limited strictly to the session termination code path. The attacker cannot read session data, access sensitive database credentials, extract administrative tokens, or modify the gateway's internal configuration files.

In multi-tenant OpenClaw deployments, this vulnerability permits cross-tenant interference. An attacker operating within one tenant boundary can terminate the operational sessions of a completely distinct tenant, provided they obtain the necessary session keys. This violates the fundamental isolation guarantees expected in secure distributed gateway architectures.

Administrators must upgrade the OpenClaw gateway software to a release subsequent to version 2026.3.24 that incorporates commit 02cf12371f9353a16455da01cc02e6c4ecfc4152. This patch fundamentally alters the authorization logic, removing the automatic administrative scope assignment and enforcing strict cryptographic ownership checks for all termination requests.

In environments where immediate patching is unfeasible, operators can implement reverse proxy rules or Web Application Firewall (WAF) policies to restrict access to the /sessions/*/kill endpoint. Administrators should configure these network controls to deny all external requests to the kill endpoint, limiting access strictly to trusted internal IP ranges or verified administrative subnets.

Following the application of the patch, infrastructure teams must verify that the x-openclaw-requester-session-key header is properly preserved and forwarded by all intermediate load balancers and API gateways. The patched OpenClaw gateway relies on this specific header to definitively validate session ownership, and stripped headers will result in legitimate users being unable to terminate their own sessions.

Security operations centers should proactively query gateway access logs for suspicious activity. Analysts must investigate HTTP POST requests directed at the kill endpoint that originate from non-administrative IP addresses, or instances where the requester's identity context clearly diverges from the known owner of the terminated session.