CVE
GHSA-q2qc-744p-66r2
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility
Summary
session_status sessionId resolution bypasses sandboxed session-tree visibility
Affected Packages / Versions
- Package:
openclaw - Affected versions:
>= 2026.3.11, <= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
session_status previously resolved a sessionId to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit sessionKey. Commit d9810811b6c3c9266d7580f00574e5e02f7663de enforces visibility after sessionId resolution so sandboxed callers cannot escape their session tree.
Verified vulnerable on tag v2026.3.24 and fixed on main by commit d9810811b6c3c9266d7580f00574e5e02f7663de.
Fix Commit(s)
d9810811b6c3c9266d7580f00574e5e02f7663de
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2, https://github.com/openclaw/openclaw/commit/d9810811b6c3c9266d7580f00574e5e02f7663de, https://github.com/openclaw/openclaw
Basic Information
Ecosystem
