Main Vulnerability Database Vulnerabilities #VU125164

#VU125164 Incorrect authorization in OpenClaw - CVE-2026-32918

Published: April 8, 2026

Vulnerability identifier: #VU125164

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32918

CWE-ID: CWE-863

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a local user to disclose sensitive information and modify session state outside its sandbox scope.

The vulnerability exists due to incorrect authorization in the built-in session_status tool when processing a supplied sessionKey for session status access. A local user can supply another session's sessionKey to disclose sensitive information and modify session state outside its sandbox scope.

The issue affects sandboxed subagents and can expose parent or sibling session data, including persisted model override settings.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8

#VU125164 Incorrect authorization in OpenClaw - CVE-2026-32918

Description

Remediation

External links

Please verify you're human