CVE-2026-32918
Received Received - Intake
Session Sandbox Escape in OpenClaw session_status Tool Allows Data Access

Publication date: 2026-03-29

Last updated on: 2026-03-31

Assigner: VulnCheck

Description
OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32918
EUVD
EUVD-2026-16999
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32918 is a session sandbox escape vulnerability in OpenClaw versions before 2026.3.11, specifically in the session_status tool.

The vulnerability allows sandboxed subagents to bypass their restricted environment by supplying arbitrary sessionKey values, enabling them to access or modify session data outside their sandbox scope.

This includes reading or changing parent or sibling session state and persisted model overrides.

The root cause is incorrect authorization checks (CWE-863), where the product performs authorization but does not properly enforce it, allowing unauthorized access.

The issue was fixed in OpenClaw version 2026.3.11 by enforcing session visibility checks before any read or mutation of session state.

Mitigation Strategies

To mitigate this vulnerability, you should update OpenClaw to version 2026.3.11 or later, where the issue has been fixed by enforcing proper session visibility checks in the session_status tool.

Compliance Impact

The vulnerability allows unauthorized access and modification of session data beyond the intended sandbox scope, compromising confidentiality and integrity of sensitive information.

Such unauthorized access to session data could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information.

Therefore, exploitation of this vulnerability may result in non-compliance with these common standards and regulations due to the potential exposure and unauthorized modification of protected data.

Impact Analysis

This vulnerability can have a significant impact by allowing a low-privilege local attacker to gain unauthorized access to session data beyond their sandbox.

The attacker can read sensitive session information and modify session state, including persisted model overrides.

This compromises the confidentiality and integrity of session data, potentially leading to unauthorized data disclosure or manipulation.

However, the vulnerability does not affect system availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32918. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart