CVE-2026-32918

Published: Mar 29, 2026 Last Modified: Mar 29, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,2

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 8,4

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.

863

Incorrect Authorization

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control Availability

Potential Impacts:

Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)

Applicable Platforms

Technologies: Database Server, Not Technology-Specific, Web Server

Likelihood of Exploit: High

View CWE Details

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8

https://www.vulncheck.com/advisories/openclaw-session-sandb…

https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-sessio…

CVE-2026-32918

Description

Incorrect Authorization

Common Consequences

Applicable Platforms

Iscriviti alla newsletter