Incorrect authorization in OpenClaw - CVE-2026-32918

 

Incorrect authorization in OpenClaw - CVE-2026-32918

Published: April 8, 2026


Vulnerability identifier: #VU125164
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32918
CWE-ID: CWE-863
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information and modify session state outside its sandbox scope.

The vulnerability exists due to incorrect authorization in the built-in session_status tool when processing a supplied sessionKey for session status access. A local user can supply another session's sessionKey to disclose sensitive information and modify session state outside its sandbox scope.

The issue affects sandboxed subagents and can expose parent or sibling session data, including persisted model override settings.


How to mitigate CVE-2026-32918

Install security update from vendor's website.

Sources