Improper privilege management in OpenClaw - CVE-2026-32915

 

Improper privilege management in OpenClaw - CVE-2026-32915

Published: April 8, 2026


Vulnerability identifier: #VU125150
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32915
CWE-ID: CWE-269
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a local user to bypass sandbox and session-scope boundaries.

The vulnerability exists due to improper privilege management in the subagents control surface when handling subagent control requests. A local user can steer or kill a sibling run to bypass sandbox and session-scope boundaries.

The issue affects sandboxed leaf subagents and arises because control requests are resolved against the parent requester scope instead of the caller's own session tree.


How to mitigate CVE-2026-32915

Install security update from vendor's website.

Sources