📄 Description (English)
OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.
🤖 AI Executive Summary
OpenClaw versions before 2026.3.25 contain a critical access control vulnerability (CVE-2026-34512) allowing authenticated users to terminate arbitrary subagent sessions with admin privileges without proper authorization checks. The vulnerability affects the /sessions/:sessionKey/kill HTTP endpoint and could enable unauthorized session disruption, lateral movement, or denial of service attacks. With a CVSS score of 8.1 and no patch currently available, immediate compensating controls are essential for Saudi organizations using OpenClaw in production environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 11:51
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations deploying OpenClaw in critical infrastructure, particularly: (1) Government agencies and NCA-regulated entities using OpenClaw for automated administrative tasks or session management; (2) Banking and financial institutions (SAMA-regulated) if OpenClaw manages authentication sessions or API gateways; (3) Telecommunications providers (STC, Mobily) using OpenClaw for network automation; (4) Healthcare organizations managing patient data access through OpenClaw-based systems; (5) Energy sector (ARAMCO, SEC) if OpenClaw controls critical operational technology sessions. The vulnerability enables privilege escalation and unauthorized session termination, potentially disrupting business continuity and enabling lateral movement within compromised networks.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Telecommunications
Healthcare
Energy and Utilities
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts (abuse of authenticated access)
T1548 - Abuse Elevation Control Mechanism (privilege escalation via improper access control)
T1531 - Account Access Removal (session termination as denial of service)
T1562 - Impair Defenses (disabling monitoring through session termination)
T1021 - Remote Services (lateral movement via session manipulation)
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all OpenClaw deployments across your organization and identify versions prior to 2026.3.25
2. Restrict network access to OpenClaw HTTP endpoints using firewall rules—limit /sessions/:sessionKey/kill access to trusted administrative networks only
3. Implement API gateway authentication layer requiring multi-factor authentication (MFA) for all session management operations
4. Enable comprehensive audit logging for all /sessions endpoints with alerts on unauthorized kill attempts
5. Review and revoke bearer tokens for service accounts with OpenClaw access; implement token rotation policies
COMPENSATING CONTROLS (until patch available):
6. Deploy Web Application Firewall (WAF) rules to block requests to /sessions/:sessionKey/kill from non-administrative source IPs
7. Implement scope validation at application layer—verify user roles before processing session termination requests
8. Use API rate limiting to prevent automated session termination attacks
9. Segment OpenClaw infrastructure from production systems using network isolation
10. Implement zero-trust access controls requiring explicit authorization for each session operation
DETECTION RULES:
11. Monitor for HTTP POST/DELETE requests to /sessions/:sessionKey/kill endpoints from non-admin accounts
12. Alert on killSubagentRunAdmin function invocations by users lacking admin scope
13. Track bearer token usage patterns—flag tokens making multiple session termination requests
14. Monitor for rapid successive session kill attempts (potential DoS)
15. Log all authentication context changes and scope elevation attempts
PATCHING STRATEGY:
16. Subscribe to OpenClaw security advisories and prepare upgrade to 2026.3.25 immediately upon release
17. Test patch in isolated lab environment before production deployment
18. Plan maintenance window for patching with minimal business impact
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات OpenClaw عبر مؤسستك وحدد الإصدارات السابقة للإصدار 2026.3.25
2. قيّد الوصول إلى نقاط نهاية HTTP في OpenClaw باستخدام قواعد جدار الحماية—حدد وصول /sessions/:sessionKey/kill للشبكات الإدارية الموثوقة فقط
3. طبّق طبقة مصادقة بوابة API تتطلب المصادقة متعددة العوامل (MFA) لجميع عمليات إدارة الجلسات
4. فعّل تسجيل التدقيق الشامل لجميع نقاط نهاية /sessions مع تنبيهات محاولات القتل غير المصرح بها
5. راجع وأبطل رموز Bearer لحسابات الخدمة التي تحتوي على وصول OpenClaw؛ طبّق سياسات تدوير الرموز
الضوابط التعويضية (حتى توفر التصحيح):
6. نشّر قواعد جدار تطبيقات الويب (WAF) لحجب الطلبات إلى /sessions/:sessionKey/kill من عناوين IP غير إدارية
7. طبّق التحقق من النطاق على مستوى التطبيق—تحقق من أدوار المستخدم قبل معالجة طلبات إنهاء الجلسة
8. استخدم تحديد معدل API لمنع هجمات إنهاء الجلسات الآلية
9. قسّم بنية OpenClaw عن الأنظمة الإنتاجية باستخدام العزل الشبكي
10. طبّق ضوابط الوصول بدون ثقة تتطلب تفويضاً صريحاً لكل عملية جلسة
قواعد الكشف:
11. راقب طلبات HTTP POST/DELETE إلى نقاط نهاية /sessions/:sessionKey/kill من حسابات غير إدارية
12. أصدر تنبيهات عند استدعاء دالة killSubagentRunAdmin من قبل مستخدمين يفتقرون إلى نطاق المسؤول
13. تتبع أنماط استخدام رموز Bearer—علّم الرموز التي تقوم بعمليات إنهاء جلسات متعددة
14. راقب محاولات إنهاء الجلسات المتتالية السريعة (احتمال DoS)
15. سجّل جميع تغييرات سياق المصادقة ومحاولات رفع النطاق
استراتيجية التصحيح:
16. اشترك في استشارات أمان OpenClaw وجهّز للترقية إلى الإصدار 2026.3.25 فوراً عند الإصدار
17. اختبر التصحيح في بيئة معملية معزولة قبل نشر الإنتاج
18. خطّط نافذة صيانة للتصحيح بأقل تأثير على الأعمال
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authentication controls
ECC 2024 A.9.4.3 - Access control review and authorization verification
ECC 2024 A.8.2.3 - Segregation of duties and privilege management
ECC 2024 A.12.4.1 - Event logging and monitoring of access control violations
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware inventory management
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.AC-4 - Access rights and privileges management
SAMA CSF DE.CM-1 - Detection and monitoring of unauthorized access attempts
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.8.4 - Access rights review
🟣 PCI DSS v4.0.1
PCI DSS 7.1 - Restrict access to cardholder data by business need to know
PCI DSS 7.2 - Establish an access control system for systems components
PCI DSS 8.2 - Ensure proper user authentication and access management
🔗 References & Sources 3
🔗
https://github.com/openclaw/openclaw/commit/02cf12371f9353a16455da01cc02e6c4ecfc4152
disclosure@vulncheck.com
Patch
🔗
https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2
disclosure@vulncheck.com
Vendor Advisory
🔗
https://www.vulncheck.com/advisories/openclaw-improper-access-control-in-sessions-sessi...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
openclaw:openclaw