CVE-2026-34512

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25

Description OpenClaw contains an improper access control issue in the /sessions/:sessionKey/kill route. Any bearer-authenticated user can invoke admin-level session termination functions without proper scope validation. An attacker can exploit this by sending authenticated requests to terminate arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.

Recommendations Update to version 2026.3.25 or later.