CVE-2026-44997
OpenClaw Constraint Bypass via Subagent Session Spawning
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenClaw before version 2026.4.22 allows restricted subagents to spawn ACP (Agent Communication Protocol) child sessions that do not properly inherit important security restrictions. These restrictions include limits on session depth, the number of active child sessions, control scope, and target-agent restrictions.
Because the child sessions bypass these constraints, attackers can exploit this flaw to create child sessions that escape subagent-only limitations, potentially escalating their privileges or gaining access to restricted resources.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker controlling a restricted subagent could spawn child sessions that bypass security constraints intended to limit their capabilities.
- Potential privilege escalation by bypassing subagent-only restrictions.
- Unauthorized access to restricted resources that should be protected by session constraints.
- Violation of session control policies such as depth limits and child session counts, which could lead to resource exhaustion or unexpected behavior.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.22 or later, where the security envelope constraint bypass in ACP child sessions has been fixed.
The patch enforces subagent envelope inheritance on ACP child sessions, including checks for maximum spawn depth, active child session limits, and allowed agent IDs, preventing restricted subagents from spawning child sessions that bypass constraints.
Applying this update will prevent attackers from exploiting the vulnerability to escalate privileges or access restricted resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.