Ea001

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.2 **Description** In identity-bearing HTTP modes, the software fails to enforce write scopes on the 'POST /sessions/:sessionKey/kill' endpoint. This authorization flaw allows callers with read-only operator scopes to perform write-class control-plane mutations, enabling them to terminate running subagent sessions and interrupt delegated work by sending requests to the affected endpoint using the `sessionKey` variable. **Recommendations** Update to version 2026.4.2 or later.