CVE-2026-32918
CVE-2026-32918
9.2
CriticalPublished:
Last updated:
Source:disclosure@vulncheck.com
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Local
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- Low
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- None
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- None
Description
OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.
References
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool