Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/GHSA-WCXR-59V9-RXR8.md

Created March 14, 2026 06:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/04f59b4b34fdad62bcd6aca02cca19bb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/04f59b4b34fdad62bcd6aca02cca19bb to your computer and use it in GitHub Desktop.
Download ZIP
GHSA-WCXR-59V9-RXR8: GHSA-WCXR-59V9-RXR8: Sandbox Escape via Improper Authorization in OpenClaw session_status Tool - CVE Security Report
Raw
GHSA-WCXR-59V9-RXR8.md

GHSA-WCXR-59V9-RXR8: GHSA-WCXR-59V9-RXR8: Sandbox Escape via Improper Authorization in OpenClaw session_status Tool

CVSS Score: 9.9 Published: 2026-03-13 Full Report: https://cvereports.com/reports/GHSA-WCXR-59V9-RXR8

Summary

The OpenClaw session_status tool fails to properly validate authorization boundaries when processing the sessionKey parameter. This flaw allows restricted sandboxed subagents to read or influence the state of higher-privileged parent sessions, resulting in a critical sandbox escape.

TL;DR

OpenClaw versions prior to v2026.3.11 contain a critical authorization bypass in the session_status tool. Sandboxed subagents can supply a parent session key to access restricted metadata and API keys, breaking the intended isolation boundaries. Users must upgrade to v2026.3.11 or restrict the tool's usage via policy configuration.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-285, CWE-639, CWE-693
  • Attack Vector: Network (Adjacent/Sandboxed Agent)
  • CVSS Score: 9.9 (Critical)
  • EPSS Score: 0.00043
  • Impact: Data Leakage, Sandbox Escape, Privilege Escalation
  • Exploit Status: Proof of Concept (PoC) Available

Affected Systems

  • OpenClaw < v2026.3.11
  • ClawdBot < v2026.3.11
  • MoltBot < v2026.3.11
  • OpenClaw: < v2026.3.11 (Fixed in: v2026.3.11)

Mitigation

  • Upgrade OpenClaw to the patched version (v2026.3.11)
  • Restrict session_status tool access via pi-tools.policy.ts
  • Monitor tool execution logs for cross-session access patterns

Remediation Steps:

  1. Identify all deployed instances of OpenClaw running versions prior to v2026.3.11.
  2. Pull the latest container images or update the OpenClaw package to version v2026.3.11.
  3. Review src/agents/pi-tools.policy.ts and remove the session_status tool from untrusted agent profiles.
  4. Verify the patch by running a test subagent and attempting to query a parent session key.
  5. Rotate any API keys or credentials that may have been exposed in vulnerable parent sessions prior to patching.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment