CVE-2026-41298

CVSS v4.0

5.3

Medium

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

Before OpenClaw 2026.4.2, POST /sessions/:sessionKey/kill did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session.

Impact

A read-scoped caller could perform a write-class control-plane mutation and interrupt delegated work. This was an authorization bug on the HTTP scope boundary, not a shared-secret compatibility exception.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.4.1
Patched versions: >= 2026.4.2
Latest published npm version: 2026.4.1

Fix Commit(s)

54a0878517167c6e49900498cf77420dadb74beb — enforce session-kill HTTP scopes

Release Process Note

The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.

Thanks @EaEa0001 for reporting.

Fix

Improper Privilege Management

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-862

Related Identifiers

CVE-2026-41298

GHSA-5HFF-46VH-RXMW

Affected Products

Openclaw

CVE-2026-41298

Summary

Impact

Affected Packages / Versions

Fix Commit(s)

Release Process Note

Weakness Enumeration

Related Identifiers

Affected Products

References · 6