Executive Summary

The vulnerability in OpenClaw prior to version 2026.2.15 involves session tools such as sessions_list, sessions_history, and sessions_send allowing broader session targeting than intended in shared-agent, multi-user deployments. This is mainly due to insufficient configuration and visibility scoping, which can lead to unauthorized exposure of session transcript content across peer sessions in environments where users are not equally trusted.

Additionally, in Telegram webhook mode, the monitor startup process did not properly fallback to the per-account webhookSecret when only the account-level secret was configured, potentially causing secret mismanagement.

The fix introduced a configuration parameter, tools.sessions.visibility, which restricts session tool access by default to the current session and its spawned subagent sessions (tree visibility), preventing cross-session data leakage. It also enforces sandbox clamping to restrict sandboxed sessions to spawned session visibility and ensures proper fallback handling of Telegram webhook secrets.

Useful 0 Not Useful 0

Impact Analysis

In multi-user, less-trusted environments using shared-agent deployments, this vulnerability can lead to unauthorized access to session transcript content across peer sessions, exposing potentially sensitive information to unintended users.

In single-agent or trusted environments, the practical impact is limited.

In Telegram webhook mode, improper handling of webhook secrets could lead to secret mismanagement, potentially allowing unauthorized access or misuse of webhook integrations.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves verifying the configuration of OpenClaw session tools and their visibility scope to ensure they are not exposing broader session data than intended.'}, {'type': 'paragraph', 'content': 'Specifically, check the value of the configuration parameter `tools.sessions.visibility`. It should be set to "tree" or a more restrictive scope to prevent unauthorized session access.'}, {'type': 'paragraph', 'content': 'Commands or steps to detect the vulnerability might include:'}, {'type': 'list_item', 'content': 'Inspect the OpenClaw configuration file or environment for the `tools.sessions.visibility` setting.'}, {'type': 'list_item', 'content': 'Use OpenClaw session tools such as `sessions_list`, `sessions_history`, and `sessions_send` to test if session data from unrelated sessions or agents is accessible.'}, {'type': 'list_item', 'content': 'In Telegram webhook mode, verify that the monitor startup correctly uses the per-account `webhookSecret` fallback if no explicit override is provided.'}, {'type': 'paragraph', 'content': 'No explicit command-line commands are provided in the resources, but these configuration checks and session tool usage tests are the recommended approach.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade OpenClaw to version 2026.2.15 or later where the issue is fixed.'}, {'type': 'paragraph', 'content': 'Additionally, configure the `tools.sessions.visibility` parameter to "tree" or a more restrictive setting to limit session tool access to the current session and its spawned subagent sessions.'}, {'type': 'paragraph', 'content': 'Ensure that sandboxed sessions have the visibility clamp enforced, preventing them from accessing sessions outside their spawn tree.'}, {'type': 'paragraph', 'content': 'In Telegram webhook mode, verify that the monitor startup process correctly falls back to the per-account `webhookSecret` if no explicit override is provided, to avoid secret mismanagement.'}, {'type': 'paragraph', 'content': 'Review and update your deployment configuration to enforce these settings and prevent unauthorized session transcript exposure.'}] [1, 2]

Useful 0 Not Useful 0