CVE
GHSA-hh43-q692-2xmq
Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8, https://nvd.nist.gov/vuln/detail/CVE-2026-32918, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool
Basic Information
Ecosystem
