DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-WCXR-59V9-RXR8: GHSA-WCXR-59V9-RXR8: Sandbox Escape via Improper Authorization in OpenClaw session_status Tool

#security #cve #cybersecurity #ghsa

GHSA-WCXR-59V9-RXR8: Sandbox Escape via Improper Authorization in OpenClaw session_status Tool

Vulnerability ID: GHSA-WCXR-59V9-RXR8
CVSS Score: 9.9
Published: 2026-03-13

The OpenClaw session_status tool fails to properly validate authorization boundaries when processing the sessionKey parameter. This flaw allows restricted sandboxed subagents to read or influence the state of higher-privileged parent sessions, resulting in a critical sandbox escape.

TL;DR

OpenClaw versions prior to v2026.3.11 contain a critical authorization bypass in the session_status tool. Sandboxed subagents can supply a parent session key to access restricted metadata and API keys, breaking the intended isolation boundaries. Users must upgrade to v2026.3.11 or restrict the tool's usage via policy configuration.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285, CWE-639, CWE-693
  • Attack Vector: Network (Adjacent/Sandboxed Agent)
  • CVSS Score: 9.9 (Critical)
  • EPSS Score: 0.00043
  • Impact: Data Leakage, Sandbox Escape, Privilege Escalation
  • Exploit Status: Proof of Concept (PoC) Available

Affected Systems

  • OpenClaw < v2026.3.11
  • ClawdBot < v2026.3.11
  • MoltBot < v2026.3.11
  • OpenClaw: < v2026.3.11 (Fixed in: v2026.3.11)

Exploit Details

  • Snyk Labs: Technical analysis and exploit paths documented by Snyk Labs

Mitigation Strategies

  • Upgrade OpenClaw to the patched version (v2026.3.11)
  • Restrict session_status tool access via pi-tools.policy.ts
  • Monitor tool execution logs for cross-session access patterns

Remediation Steps:

  1. Identify all deployed instances of OpenClaw running versions prior to v2026.3.11.
  2. Pull the latest container images or update the OpenClaw package to version v2026.3.11.
  3. Review src/agents/pi-tools.policy.ts and remove the session_status tool from untrusted agent profiles.
  4. Verify the patch by running a test subagent and attempting to query a parent session key.
  5. Rotate any API keys or credentials that may have been exposed in vulnerable parent sessions prior to patching.

References

Read the full report for GHSA-WCXR-59V9-RXR8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)