Description
OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.
Published: 2026-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized session access
Action: Immediate patch
AI Analysis

Impact

The vulnerability in OpenClaw occurs when the session_status component resolves a sessionId to its canonical session key before applying visibility checks. This allows a sandboxed child session to read data from parent or sibling sessions that should be restricted by explicit sessionKey rules, enabling disclosure of sensitive session information and potential session hijacking.

Affected Systems

Vendors: OpenClaw; Product: OpenClaw. Affected releases are version 2026.3.11 through 2026.3.24. The software runs on a Node.js environment.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. No EPSS score is available and the issue is not catalogued in CISA’s KEV list, but the absence of official fix information suggests the risk remains. The flaw is exploitable by any code that can execute within a sandboxed child session, potentially including remote attackers who can create such sessions. Mitigation requires applying the patch or preventing the creation of child sessions until the fix is deployed.

Generated by OpenCVE AI on April 9, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.3.25 or newer.
  • If an update is not immediately possible, disallow or tightly restrict the creation of sandboxed child sessions until the patch is applied.
  • Verify that session_key restrictions are enforced after the upgrade or restriction.
  • Regularly review logs for unauthorized sessionId usage and monitor for suspicious session activity.

Generated by OpenCVE AI on April 9, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.
Title OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-696
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T15:37:47.279Z

Reserved: 2026-04-04T12:29:42.739Z

Link: CVE-2026-35636

cve-icon Vulnrichment

Updated: 2026-04-10T20:16:36.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:32.750

Modified: 2026-04-16T20:48:34.190

Link: CVE-2026-35636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:26Z

Weaknesses