CVE-2026-35662: OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions

March 26, 2026 (updated April 10, 2026)

Leaf subagents could still use the send action to message controlled child sessions even when their controlScope was narrower than children.

References

github.com/advisories/GHSA-x2cm-hg9c-mf5w
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/7679eb375294941b02214c234aff3948796969d0
github.com/openclaw/openclaw/security/advisories/GHSA-x2cm-hg9c-mf5w
nvd.nist.gov/vuln/detail/CVE-2026-35662

Code Behaviors & Features

Detect and mitigate CVE-2026-35662 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →