High severity8.1NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026

CVE-2026-34512

Description

OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.

Affected products

OpenClaw/Openclaw
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Range: <2026.3.25

Patches

02cf12371f93

https://github.com/openclaw/openclawvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/openclaw/openclaw/commit/02cf12371f9353a16455da01cc02e6c4ecfc4152nvdPatch
github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2nvdVendor Advisory
www.vulncheck.com/advisories/openclaw-improper-access-control-in-sessions-sessionkey-kill-endpointnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000