Description
OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.
Published: 2026-06-16
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions earlier than 2026.4.29 have a vulnerability that allows authenticated callers to bypass the session visibility checks implemented during a shared memory search. The flaw, identified as a weakness in access control (CWE-862), means that an attacker who can authenticate to the application can query memory entries that belong to other user sessions and should be hidden from them. The impact is the disclosure of sensitive in‑memory information, but it does not grant code execution or broader system compromise.

Affected Systems

The affected product is OpenClaw. Any installation running a release older than 2026.4.29 is susceptible to this session visibility check bypass.

Risk and Exploitability

The AV carries a CVSS score of 6.0, indicating moderate severity. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated and use the shared memory search endpoint, which restricts exploitation to users who already have valid application access.

Generated by OpenCVE AI on June 17, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.29 or later.
  • Enforce strict role‑based access controls on the shared memory search functionality, ensuring that only users with explicit permission to read specific memory entries can use the endpoint.
  • Enable detailed logging of shared memory search operations and configure alerts for anomalous activity, such as repeated searches for memory entries outside the user’s authorized scope.

Generated by OpenCVE AI on June 17, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-72fw-cqh5-f324 OpenClaw: memory-wiki shared search could miss session visibility checks
History

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.
Title OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-16T18:39:20.445Z

Reserved: 2026-06-10T21:19:32.652Z

Link: CVE-2026-53844

cve-icon Vulnrichment

Updated: 2026-06-16T18:38:58.360Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:01.390

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:30:13Z

Weaknesses