Listen to this Post
The vulnerability resides in the OpenClaw `session_status` tool, which failed to enforce the intended session-visibility boundary. OpenClaw employs a sandboxing mechanism to isolate subagent sessions, ensuring they can only access their own state . However, due to missing authorization checks, a malicious or compromised sandboxed subagent could supply the `sessionKey` of a parent or sibling session to the `session_status` tool . The tool, lacking proper validation, would then retrieve and return the state of the target session, breaking the isolation. In more severe cases, the subagent could also modify the target session’s persisted model override, leading to data integrity issues . This flaw allows a low-privileged attacker to read sensitive information from other sessions or manipulate their behavior, effectively bypassing the core security model of the platform .
Platform: OpenClaw npm package
Version: <= 2026.3.8
Vulnerability : Incorrect Authorization
Severity: High
date: 2026-03-13
Prediction: 2026-03-20
What Undercode Say:
Analytics:
This vulnerability (CWE-863) is critical as it breaks the fundamental tenant of session isolation in a multi-agent AI platform . An attacker who can execute a sandboxed subagent can pivot to compromise other user sessions, potentially accessing private conversation histories, API keys, or other sensitive data stored in the session state .
Bash and Code:
Check the currently installed version of OpenClaw:
npm list openclaw
If the version is 2026.3.8 or lower, the system is vulnerable. Update to the patched version using:
npm install [email protected]
To verify the update, check the version again:
openclaw --version
How Exploit:
An attacker would first need to establish a sandboxed subagent session on the target OpenClaw instance. Once inside this low-privilege context, they would interact with the `session_status` tool. Instead of providing their own session key, the attacker would supply the `sessionKey` of a target session they wish to compromise (e.g., a parent session or another user’s session). Due to the missing authorization check, the tool would return the full state of that foreign session to the attacker .
Protection from this CVE:
- Immediate Update: Upgrade the OpenClaw package to version `2026.3.11` or later. This version enforces proper visibility checks on all session tools .
- Network Segmentation: Ensure that OpenClaw instances are not directly exposed to untrusted networks. Run them behind a firewall to limit the ability of external attackers to create malicious subagents.
- Monitoring: Audit logs for anomalous access to `session_status` where the `sessionKey` parameter does not match the expected session tree.
Impact:
- Confidentiality: A sandboxed subagent can read the entire state of a parent or sibling session, leading to information disclosure of sensitive data .
- Integrity: In affected releases, the attacker could modify the target session’s persisted model override, leading to corrupted data or altered agent behavior .
- Privilege Escalation: By accessing parent session data, a low-privilege subagent can effectively escalate its privileges by obtaining credentials or context meant for a higher-trust session.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

