trace_e48edf7b1f4c4c2aa05cd472ee3d1d88

findercompleted92excellent

StartedApr 13, 2026, 5:46 PM

EndedApr 13, 2026, 5:55 PM

Casecase_d09195f160ac49d49d8ef8f94caf43ec

Modelz-ai/glm-5.1

Context

Blind label

blind_81fe7be7c95a

Advisory

GHSA-5hff-46vh-rxmw • OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill

Judge score

92 (excellent)

Rubric breakdown

Target Alignment

Source To Sink Reasoning

Impact And Exploitability

Evidence Quality

Overclaim Control

Prompt535 chars

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start at src/gateway/session-kill-http.ts and trace POST /sessions/:sessionKey/kill from HTTP authentication through requester/admin routing into killControlledSubagentRun or killSubagentRunAdmin. Show where the vulnerable checkout fails to require the operator scopes later enforced by the fix, and only report session-existence probing if you can ground it in the pre-fix control flow.

OutputJSON

{
  "executiveSummary": "The POST /sessions/:sessionKey/kill handler in src/gateway/session-kill-http.ts authenticates bearer tokens but never resolves or enforces HTTP operator scopes (admin, write, read). As a result, any caller with a valid gateway token—including those holding only read-scoped identity—can reach the session-kill logic. The killControlledSubagentRun path (requester-owned kill) and the killSubagentRunAdmin path (admin kill) both execute without scope gates. Additionally, the session existence lookup (loadSessionEntry) runs before any authorization boundary, allowing an unauthorized caller to distinguish existing from non-existing session keys via 404 vs 403/200 responses.",
  "reports": [
    {
      "title": "Missing operator-scope enforcement on POST /sessions/:sessionKey/kill allows read-scoped callers to terminate subagent sessions",
      "severity": "HIGH",
      "summary": "The session-kill HTTP handler authenticates the bearer token via authorizeGatewayBearerRequestOrReply but never calls resolveGatewayRequestedOperatorScopes or authorizeOperatorScopesForMethod. Any bearer-authenticated caller—even one with only operator.read scope—can reach and invoke killControlledSubagentRun or killSubagentRunAdmin, violating the intended write/admin scope boundary.",
      "rootCauseAnalysis": "handleSessionKillHttpRequest in session-kill-http.ts performs only gateway-token authentication (authorizeGatewayBearerRequestOrReply) which validates the bearer token matches the configured gateway secret. It then proceeds directly to loadSessionEntry and branch into kill paths without ever resolving the caller's operator scopes from the x-openclaw-scopes header or checking them against the required scope for the kill method. The function resolveGatewayRequestedOperatorScopes exists in http-auth-helpers.ts and authorizeOperatorScopesForMethod exists in method-scopes.ts, but neither is imported or called in session-kill-http.ts. The method-scopes module defines sessions.abort under WRITE_SCOPE and sessions.delete under ADMIN_SCOPE, which should gate the requester-owned and admin kill paths respectively.",
      "impact": "A caller who has obtained or been issued a gateway bearer token with only read-scoped privileges can terminate any subagent session reachable through the kill endpoint. This breaks the read/write/admin privilege separation and allows denial-of-service attacks or premature termination of long-running agent tasks by read-only API consumers.",
      "attackPath": "1. Attacker obtains a valid gateway bearer token (e.g., via legitimate read-only API access).\n2. Attacker crafts x-openclaw-scopes header with only operator.read (or omits the header, which defaults to full CLI scopes but the point is the handler does not check scopes at all).\n3. Attacker sends POST /sessions/<target-session-key>/kill with the bearer token.\n4. If the request comes from localhost (isLocalDirectRequest=true), killSubagentRunAdmin runs directly with n

Tool calls

(20)

$cat src/gateway/session-kill-http.ts

import type { IncomingMessage, ServerResponse } from "node:http";
import {
  killControlledSubagentRun,
  killSubagentRunAdmin,
  resolveSubagentController,
} from "../agents/subagent-control.js";
import { getLatestSubagentRunByChildSessionKey } from "../agents/subagent-registry.js";
import { loadConfig } from "../config/config.js";
import type { AuthRateLimiter } from "./auth-rate-limit.js";
import { isLocalDirectRequest, type ResolvedGatewayAuth } from "./auth.js";
import { authorizeGatewayBearerRequestOrReply } from "./http-auth-helpers.js";
import { sendJson, sendMethodNotAllowed } from "./http-common.js";

$cat src/gateway/session-kill-http.test.ts

import { createServer } from "node:http";
import type { AddressInfo } from "node:net";
import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";

const TEST_GATEWAY_TOKEN = "test-gateway-token-1234567890";

let cfg: Record<string, unknown> = {};
const authMock = vi.fn(async () => ({ ok: true }) as { ok: boolean; rateLimited?: boolean });
const isLocalDirectRequestMock = vi.fn(() => true);
const loadSessionEntryMock = vi.fn();
const getLatestSubagentRunByChildSessionKeyMock = vi.fn();
const resolveSubagentControllerMock = vi.fn();

$cat src/gateway/http-auth-helpers.ts

import type { IncomingMessage } from "node:http";
import type {
  GatewayAuthConfig,
  GatewayTailscaleMode,
  GatewayTrustedProxyConfig,
} from "../config/config.js";
import { resolveSecretInputRef } from "../config/types.secrets.js";
import { readTailscaleWhoisIdentity, type TailscaleWhoisIdentity } from "../infra/tailscale.js";
import { safeEqualSecret } from "../security/secret-equal.js";
import {
  AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
  type AuthRateLimiter,

$cat src/gateway/auth.ts

import type { IncomingMessage, ServerResponse } from "node:http";
import type { AuthRateLimiter } from "./auth-rate-limit.js";
import { authorizeHttpGatewayConnect, type ResolvedGatewayAuth } from "./auth.js";
import { sendGatewayAuthFailure } from "./http-common.js";
import { getBearerToken, getHeader, resolveHttpBrowserOriginPolicy } from "./http-utils.js";
import { CLI_DEFAULT_OPERATOR_SCOPES } from "./method-scopes.js";

const OPERATOR_SCOPES_HEADER = "x-openclaw-scopes";

export async function authorizeGatewayBearerRequestOrReply(params: {
  req: IncomingMessage;
  res: ServerResponse;

$cat src/gateway/method-scopes.ts

import crypto from "node:crypto";
import { clearSessionQueues } from "../auto-reply/reply/queue.js";
import {
  resolveSubagentLabel,
  resolveSubagentTargetFromRuns,
  sortSubagentRuns,
  type SubagentTargetResolution,
} from "../auto-reply/reply/subagents-utils.js";
import type { OpenClawConfig } from "../config/config.js";
import type { SessionEntry } from "../config/sessions.js";
import { loadSessionStore, resolveStorePath, updateSessionStore } from "../config/sessions.js";
import { callGateway } from "../gateway/call.js";

$cat src/agents/subagent-control.ts

import { getActivePluginRegistry } from "../plugins/runtime.js";

export const ADMIN_SCOPE = "operator.admin" as const;
export const READ_SCOPE = "operator.read" as const;
export const WRITE_SCOPE = "operator.write" as const;
export const APPROVALS_SCOPE = "operator.approvals" as const;
export const PAIRING_SCOPE = "operator.pairing" as const;

export type OperatorScope =
  | typeof ADMIN_SCOPE
  | typeof READ_SCOPE
  | typeof WRITE_SCOPE

$rg -n "resolveGatewayRequestedOperatorScopes" src/gateway/exit 124

(no output)

$rg -n "authorizeOperatorScopesForMethod" src/gateway/exit 124

(no output)

$rg -n "resolveGatewayRequestedOperatorScopes" src/exit 124

(no output)

$rg -n "authorizeOperatorScopesForMethod" src/exit 124

(no output)

$rg -n "resolveGatewayRequestedOperatorScopes" src/ 2>/dev/null | head -20exit 124

(no output)

$rg -n "authorizeOperatorScopesForMethod" src/ 2>/dev/null | head -20exit 124

(no output)

$rg -n "resolveGatewayRequestedOperatorScopes" src/gateway/ 2>/dev/nullexit 124

(no output)

$rg -n "authorizeOperatorScopesForMethod" src/gateway/ 2>/dev/nullexit 124

(no output)

$find src/gateway/ -name "*.ts" -maxdepth 1 | head -30

src/gateway/agent-event-assistant-text.ts
src/gateway/agent-list.ts
src/gateway/agent-prompt.test.ts
src/gateway/agent-prompt.ts
src/gateway/android-node.capabilities.live.test.ts
src/gateway/android-node.capabilities.policy-config.test.ts
src/gateway/android-node.capabilities.policy-config.ts
src/gateway/android-node.capabilities.policy-source.test.ts
src/gateway/android-node.capabilities.policy-source.ts
src/gateway/assistant-identity.test.ts
src/gateway/assistant-identity.ts
src/gateway/auth-config-utils.ts

$grep -l "resolveGatewayRequestedOperatorScopes" src/gateway/*.ts 2>/dev/nullexit 124

(no output)

$grep -l "authorizeOperatorScopesForMethod" src/gateway/*.ts 2>/dev/nullexit 124

(no output)

$ls src/gateway/session-*.ts 2>/dev/nullexit 124

(no output)

$find src/gateway -name "session-*" -type f 2>/dev/nullexit 124

(no output)

$ls src/gateway/session*exit 124

(no output)

Step spans

(13)