Impact
OpenClaw versions earlier than 2026.4.29 have a vulnerability that allows authenticated callers to bypass the session visibility checks implemented during a shared memory search. The flaw, identified as a weakness in access control (CWE-862), means that an attacker who can authenticate to the application can query memory entries that belong to other user sessions and should be hidden from them. The impact is the disclosure of sensitive in‑memory information, but it does not grant code execution or broader system compromise.
Affected Systems
The affected product is OpenClaw. Any installation running a release older than 2026.4.29 is susceptible to this session visibility check bypass.
Risk and Exploitability
The AV carries a CVSS score of 6.0, indicating moderate severity. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated and use the shared memory search endpoint, which restricts exploitation to users who already have valid application access.
OpenCVE Enrichment
Github GHSA