Improper Authorization in OpenClaw - #VU125188
Published: April 8, 2026
Vulnerability identifier: #VU125188
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to send messages to controlled child sessions outside intended authorization scope.
The vulnerability exists due to improper authorization in the send action for subagent sessions when processing send requests from leaf subagents with a narrower controlScope than their children. A remote user can send a crafted message request to send messages to controlled child sessions outside intended authorization scope.
The issue affects leaf subagents that can use the send action against controlled child sessions despite a narrower controlScope.
Remediation
Install security update from vendor's website.