fix(gateway): propagate real gateway client into plugin subagent runtime

Plugin subagent dispatch used a hardcoded synthetic client carrying
operator.admin, operator.approvals, and operator.pairing for all
runtime.subagent.* calls. Plugin HTTP routes with auth:"plugin" require
no gateway auth by design, so an unauthenticated external request could
drive admin-only gateway methods (sessions.delete, agent.run) through
the subagent runtime.

Propagate the real gateway client into the plugin runtime request scope
when one is available. Plugin HTTP routes now run inside a scoped
runtime client: auth:"plugin" routes receive a non-admin synthetic
operator.write client; gateway-authenticated routes retain admin-capable
scopes. The security boundary is enforced at the HTTP handler level.

Fixes GHSA-xw77-45gv-p728

CHANGELOG.md

@@ -97,6 +97,7 @@ Docs: https://docs.openclaw.ai
 - Agents/Azure OpenAI Responses: include the `azure-openai` provider in the Responses API store override so Azure OpenAI multi-turn cron jobs and embedded agent runs no longer fail with HTTP 400 "store is set to false". (#42934, fixes #42800) Thanks @ademczuk.
 - Agents/context pruning: prune image-only tool results during soft-trim, align context-pruning coverage with the new tool-result contract, and extend historical image cleanup to the same screenshot-heavy session path. (#43045) Thanks @MoerAI.
 - fix(models): guard optional model.input capability checks (#42096) thanks @andyliu
+- Security/plugin runtime: stop unauthenticated plugin HTTP routes from inheriting synthetic admin gateway scopes when they call `runtime.subagent.*`, so admin-only methods like `sessions.delete` stay blocked without gateway auth.
 
 ## 2026.3.8
 

src/gateway/server-methods.ts

@@ -153,5 +153,5 @@ export async function handleGatewayRequest(
   // All handlers run inside a request scope so that plugin runtime
   // subagent methods (e.g. context engine tools spawning sub-agents
   // during tool execution) can dispatch back into the gateway.
-  await withPluginRuntimeGatewayRequestScope({ context, isWebchatConnect }, invokeHandler);
+  await withPluginRuntimeGatewayRequestScope({ context, client, isWebchatConnect }, invokeHandler);
 }

src/gateway/server-plugins.ts

@@ -85,7 +85,7 @@ async function dispatchGatewayMethod<T>(
       method,
       params,
     },
-    client: createSyntheticOperatorClient(),
+    client: scope?.client ?? createSyntheticOperatorClient(),
     isWebchatConnect,
     respond: (ok, payload, error) => {
       if (!result) {

src/gateway/server.talk-config.test.ts

@@ -6,6 +6,7 @@ import {
   publicKeyRawBase64UrlFromPem,
   signDevicePayload,
 } from "../infra/device-identity.js";
+import { withEnvAsync } from "../test-utils/env.js";
 import { buildDeviceAuthPayload } from "./device-auth.js";
 import { validateTalkConfigResult } from "./protocol/index.js";
 import {
@@ -150,45 +151,47 @@ describe("gateway talk.config", () => {
       },
     });
 
-    await withServer(async (ws) => {
+    await withEnvAsync({ ELEVENLABS_API_KEY: "env-elevenlabs-key" }, async () => {
-      await connectOperator(ws, ["operator.read", "operator.write", "operator.talk.secrets"]);
+      await withServer(async (ws) => {
-      const res = await rpcReq<{
+        await connectOperator(ws, ["operator.read", "operator.write", "operator.talk.secrets"]);
-        config?: {
+        const res = await rpcReq<{
-          talk?: {
+          config?: {
-            apiKey?: { source?: string; provider?: string; id?: string };
+            talk?: {
-            providers?: {
+              apiKey?: { source?: string; provider?: string; id?: string };
-              elevenlabs?: {
+              providers?: {
-                apiKey?: { source?: string; provider?: string; id?: string };
+                elevenlabs?: {
+                  apiKey?: { source?: string; provider?: string; id?: string };
+                };
               };
-            };
+              resolved?: {
-            resolved?: {
+                provider?: string;
-              provider?: string;
+                config?: {
-              config?: {
+                  apiKey?: { source?: string; provider?: string; id?: string };
-                apiKey?: { source?: string; provider?: string; id?: string };
+                };
               };
             };
           };
-        };
+        }>(ws, "talk.config", {
-      }>(ws, "talk.config", {
+          includeSecrets: true,
-        includeSecrets: true,
+        });
-      });
+        expect(res.ok).toBe(true);
-      expect(res.ok).toBe(true);
+        expect(validateTalkConfigResult(res.payload)).toBe(true);
-      expect(validateTalkConfigResult(res.payload)).toBe(true);
+        expect(res.payload?.config?.talk?.apiKey).toEqual({
-      expect(res.payload?.config?.talk?.apiKey).toEqual({
+          source: "env",
-        source: "env",
+          provider: "default",
-        provider: "default",
+          id: "ELEVENLABS_API_KEY",
-        id: "ELEVENLABS_API_KEY",
+        });
-      });
+        expect(res.payload?.config?.talk?.providers?.elevenlabs?.apiKey).toEqual({
-      expect(res.payload?.config?.talk?.providers?.elevenlabs?.apiKey).toEqual({
+          source: "env",
-        source: "env",
+          provider: "default",
-        provider: "default",
+          id: "ELEVENLABS_API_KEY",
-        id: "ELEVENLABS_API_KEY",
+        });
-      });
+        expect(res.payload?.config?.talk?.resolved?.provider).toBe("elevenlabs");
-      expect(res.payload?.config?.talk?.resolved?.provider).toBe("elevenlabs");
+        expect(res.payload?.config?.talk?.resolved?.config?.apiKey).toEqual({
-      expect(res.payload?.config?.talk?.resolved?.config?.apiKey).toEqual({
+          source: "env",
-        source: "env",
+          provider: "default",
-        provider: "default",
+          id: "ELEVENLABS_API_KEY",
-        id: "ELEVENLABS_API_KEY",
+        });
       });
     });
   });

src/gateway/server/plugins-http.test.ts

@@ -1,5 +1,7 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { describe, expect, it, vi } from "vitest";
+import type { PluginRuntime } from "../../plugins/runtime/types.js";
+import type { GatewayRequestContext, GatewayRequestOptions } from "../server-methods/types.js";
 import { makeMockHttpResponse } from "../test-http-response.js";
 import { createTestRegistry } from "./__tests__/test-utils.js";
 import {
@@ -8,6 +10,22 @@ import {
   shouldEnforceGatewayAuthForPluginPath,
 } from "./plugins-http.js";
 
+const loadOpenClawPlugins = vi.hoisted(() => vi.fn());
+type HandleGatewayRequestOptions = GatewayRequestOptions & {
+  extraHandlers?: Record<string, unknown>;
+};
+const handleGatewayRequest = vi.hoisted(() =>
+  vi.fn(async (_opts: HandleGatewayRequestOptions) => {}),
+);
+
+vi.mock("../../plugins/loader.js", () => ({
+  loadOpenClawPlugins,
+}));
+
+vi.mock("../server-methods.js", () => ({
+  handleGatewayRequest,
+}));
+
 type PluginHandlerLog = Parameters<typeof createGatewayPluginRequestHandler>[0]["log"];
 
 function createPluginLog(): PluginHandlerLog {
@@ -39,7 +57,85 @@ function buildRepeatedEncodedSlash(depth: number): string {
   return encodedSlash;
 }
 
+function createSubagentRuntimeRegistry() {
+  return createTestRegistry();
+}
+
+async function createSubagentRuntime(): Promise<PluginRuntime["subagent"]> {
+  const serverPlugins = await import("../server-plugins.js");
+  loadOpenClawPlugins.mockReturnValue(createSubagentRuntimeRegistry());
+  serverPlugins.loadGatewayPlugins({
+    cfg: {},
+    workspaceDir: "/tmp",
+    log: {
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      debug: vi.fn(),
+    },
+    coreGatewayHandlers: {},
+    baseMethods: [],
+  });
+  serverPlugins.setFallbackGatewayContext({} as GatewayRequestContext);
+  const call = loadOpenClawPlugins.mock.calls.at(-1)?.[0] as
+    | { runtimeOptions?: { subagent?: PluginRuntime["subagent"] } }
+    | undefined;
+  if (!call?.runtimeOptions?.subagent) {
+    throw new Error("Expected subagent runtime from loadGatewayPlugins");
+  }
+  return call.runtimeOptions.subagent;
+}
+
 describe("createGatewayPluginRequestHandler", () => {
+  it("caps unauthenticated plugin routes to non-admin subagent scopes", async () => {
+    loadOpenClawPlugins.mockReset();
+    handleGatewayRequest.mockReset();
+    handleGatewayRequest.mockImplementation(async (opts: HandleGatewayRequestOptions) => {
+      const scopes = opts.client?.connect.scopes ?? [];
+      if (opts.req.method === "sessions.delete" && !scopes.includes("operator.admin")) {
+        opts.respond(false, undefined, {
+          code: "invalid_request",
+          message: "missing scope: operator.admin",
+        });
+        return;
+      }
+      opts.respond(true, {});
+    });
+
+    const subagent = await createSubagentRuntime();
+    const log = createPluginLog();
+    const handler = createGatewayPluginRequestHandler({
+      registry: createTestRegistry({
+        httpRoutes: [
+          createRoute({
+            path: "/hook",
+            auth: "plugin",
+            handler: async (_req, _res) => {
+              await subagent.deleteSession({ sessionKey: "agent:main:subagent:child" });
+              return true;
+            },
+          }),
+        ],
+      }),
+      log,
+    });
+
+    const { res, setHeader, end } = makeMockHttpResponse();
+    const handled = await handler({ url: "/hook" } as IncomingMessage, res, undefined, {
+      gatewayAuthSatisfied: false,
+    });
+
+    expect(handled).toBe(true);
+    expect(handleGatewayRequest).toHaveBeenCalledTimes(1);
+    expect(handleGatewayRequest.mock.calls[0]?.[0]?.client?.connect.scopes).toEqual([
+      "operator.write",
+    ]);
+    expect(res.statusCode).toBe(500);
+    expect(setHeader).toHaveBeenCalledWith("Content-Type", "text/plain; charset=utf-8");
+    expect(end).toHaveBeenCalledWith("Internal Server Error");
+    expect(log.warn).toHaveBeenCalledWith(expect.stringContaining("missing scope: operator.admin"));
+  });
+
   it("returns false when no routes are registered", async () => {
     const log = createPluginLog();
     const handler = createGatewayPluginRequestHandler({

src/gateway/server/plugins-http.ts

@@ -1,6 +1,11 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { createSubsystemLogger } from "../../logging/subsystem.js";
 import type { PluginRegistry } from "../../plugins/registry.js";
+import { withPluginRuntimeGatewayRequestScope } from "../../plugins/runtime/gateway-request-scope.js";
+import { ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE, WRITE_SCOPE } from "../method-scopes.js";
+import { GATEWAY_CLIENT_IDS, GATEWAY_CLIENT_MODES } from "../protocol/client-info.js";
+import { PROTOCOL_VERSION } from "../protocol/index.js";
+import type { GatewayRequestOptions } from "../server-methods/types.js";
 import {
   resolvePluginRoutePathContext,
   type PluginRoutePathContext,
@@ -21,6 +26,32 @@ export { shouldEnforceGatewayAuthForPluginPath } from "./plugins-http/route-auth
 
 type SubsystemLogger = ReturnType<typeof createSubsystemLogger>;
 
+function createPluginRouteRuntimeClient(params: {
+  requiresGatewayAuth: boolean;
+  gatewayAuthSatisfied?: boolean;
+}): GatewayRequestOptions["client"] {
+  // Plugin-authenticated webhooks can still use non-admin subagent helpers,
+  // but they must not inherit admin-only gateway methods by default.
+  const scopes =
+    params.requiresGatewayAuth && params.gatewayAuthSatisfied !== false
+      ? [ADMIN_SCOPE, APPROVALS_SCOPE, PAIRING_SCOPE]
+      : [WRITE_SCOPE];
+  return {
+    connect: {
+      minProtocol: PROTOCOL_VERSION,
+      maxProtocol: PROTOCOL_VERSION,
+      client: {
+        id: GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+        version: "internal",
+        platform: "node",
+        mode: GATEWAY_CLIENT_MODES.BACKEND,
+      },
+      role: "operator",
+      scopes,
+    },
+  };
+}
+
 export type PluginHttpRequestHandler = (
   req: IncomingMessage,
   res: ServerResponse,
@@ -49,30 +80,40 @@ export function createGatewayPluginRequestHandler(params: {
     if (matchedRoutes.length === 0) {
       return false;
     }
-    if (
+    const requiresGatewayAuth = matchedPluginRoutesRequireGatewayAuth(matchedRoutes);
-      matchedPluginRoutesRequireGatewayAuth(matchedRoutes) &&
+    if (requiresGatewayAuth && dispatchContext?.gatewayAuthSatisfied === false) {
-      dispatchContext?.gatewayAuthSatisfied === false
-    ) {
       log.warn(`plugin http route blocked without gateway auth (${pathContext.canonicalPath})`);
       return false;
     }
+    const runtimeClient = createPluginRouteRuntimeClient({
+      requiresGatewayAuth,
+      gatewayAuthSatisfied: dispatchContext?.gatewayAuthSatisfied,
+    });
 
-    for (const route of matchedRoutes) {
+    return await withPluginRuntimeGatewayRequestScope(
-      try {
+      {
-        const handled = await route.handler(req, res);
+        client: runtimeClient,
-        if (handled !== false) {
+        isWebchatConnect: () => false,
-          return true;
+      },
+      async () => {
+        for (const route of matchedRoutes) {
+          try {
+            const handled = await route.handler(req, res);
+            if (handled !== false) {
+              return true;
+            }
+          } catch (err) {
+            log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`);
+            if (!res.headersSent) {
+              res.statusCode = 500;
+              res.setHeader("Content-Type", "text/plain; charset=utf-8");
+              res.end("Internal Server Error");
+            }
+            return true;
+          }
         }
-      } catch (err) {
+        return false;
-        log.warn(`plugin http route failed (${route.pluginId ?? "unknown"}): ${String(err)}`);
+      },
-        if (!res.headersSent) {
+    );
-          res.statusCode = 500;
-          res.setHeader("Content-Type", "text/plain; charset=utf-8");
-          res.end("Internal Server Error");
-        }
-        return true;
-      }
-    }
-    return false;
   };
 }

src/plugins/runtime/gateway-request-scope.ts

@@ -5,7 +5,8 @@ import type {
 } from "../../gateway/server-methods/types.js";
 
 export type PluginRuntimeGatewayRequestScope = {
-  context: GatewayRequestContext;
+  context?: GatewayRequestContext;
+  client?: GatewayRequestOptions["client"];
   isWebchatConnect: GatewayRequestOptions["isWebchatConnect"];
 };