OpenClaw versions before 2026.3.11 include a sandbox boundary bypass that lets a leaf subagent read the subagents control surface and resolve requests against the parent requester’s scope instead of its own session tree. The flaw allows a low‑privileged sandboxed worker to steer or terminate sibling runs, and to launch executions with broader tool policies because authorization checks on control requests are insufficient. This can lead to arbitrary code execution with higher privileges within the sandbox, potentially exposing sensitive data or compromising the host system workflow.

The product affected is the OpenClaw npm package (OpenClaw:OpenClaw). All releases less than version 2026.3.11 are vulnerable; the issue appears in any Node.js environment where the package is installed, regardless of Node.js version. No specific sub‑versions are listed, so any installation of an affected release should be treated as compromised.

The severity is high, with a CVSS score of 9.3, indicating a high degree of risk. EPSS data is not available, so the probability of exploitation cannot be quantified, but the absence of this information does not diminish the critical nature of the vulnerability. The flaw is exploitable by an attacker who can gain even minimal access to a sandboxed worker or subagent, typically via web or API interfaces that expose the subagent control surface. Once leveraged, an attacker can manipulate sibling runs and elevate privileges, leading to a full sandbox escape. Although the vulnerability is not listed in CISA’s KEV catalog, the combination of high severity and the nature of the impact warrants urgent attention.