DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9P93-7J67-5PC2: GHSA-9P93-7J67-5PC2: Missing Authorization in OpenClaw Gateway Session Termination

#security #cve #cybersecurity #ghsa

GHSA-9P93-7J67-5PC2: Missing Authorization in OpenClaw Gateway Session Termination

Vulnerability ID: GHSA-9P93-7J67-5PC2
CVSS Score: 6.5
Published: 2026-03-27

The OpenClaw gateway contains an improper authorization vulnerability within its HTTP session termination endpoint. A flaw in scope assignment allows any authenticated user to terminate arbitrary active sessions, resulting in a targeted denial-of-service condition.

TL;DR

A flaw in OpenClaw's bearer token validation automatically assigns administrative scopes to standard users, enabling unauthorized termination of any active session via the /kill endpoint.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285 / CWE-862
  • Attack Vector: Network
  • Privileges Required: Low
  • CVSS v3.1 Score: 6.5 (Medium/High)
  • Impact: Denial of Service (Availability)
  • Exploit Status: Proof of Concept

Affected Systems

  • OpenClaw Gateway
  • OpenClaw Session Management API
  • openclaw: <= 2026.3.24 (Fixed in: Post-2026.3.24 (Commit 02cf123))

Code Analysis

Commit: 02cf123

Remove bearer token fallback in session kill HTTP handler to enforce strict ownership verification.

- const allowBearerOperatorKill = canBearerTokenKillSessions(token, true);
- if (!requesterSessionKey && !allowLocalAdminKill && !allowBearerOperatorKill) {
+ if (!requesterSessionKey && !allowLocalAdminKill) {
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade OpenClaw to a version containing commit 02cf12371f9353a16455da01cc02e6c4ecfc4152.
  • Implement WAF rules to block external access to the /sessions/*/kill endpoint.
  • Ensure load balancers preserve the x-openclaw-requester-session-key HTTP header.
  • Monitor access logs for unauthorized POST requests to the session termination API.

Remediation Steps:

  1. Identify all deployed instances of the OpenClaw gateway running version 2026.3.24 or older.
  2. Pull the latest patched container image or compile the updated binary from the repository.
  3. Deploy the patched application to a staging environment and verify that legitimate session termination functions correctly.
  4. Roll out the update to production gateway clusters.
  5. Review access logs spanning the previous 30 days for indicators of compromise related to the /kill endpoint.

References

Read the full report for GHSA-9P93-7J67-5PC2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)