GHSA-hh43-q692-2xmq: Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

March 29, 2026 (updated April 1, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.

References

github.com/advisories/GHSA-hh43-q692-2xmq
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8
nvd.nist.gov/vuln/detail/CVE-2026-32918
www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool

Code Behaviors & Features

Detect and mitigate GHSA-hh43-q692-2xmq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →