GHSA-x2cm-hg9c-mf5w: OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions

March 26, 2026

Leaf subagents could still use the send action to message controlled child sessions even when their controlScope was narrower than children.

References

github.com/advisories/GHSA-x2cm-hg9c-mf5w
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/7679eb375294941b02214c234aff3948796969d0
github.com/openclaw/openclaw/security/advisories/GHSA-x2cm-hg9c-mf5w

Code Behaviors & Features

Detect and mitigate GHSA-x2cm-hg9c-mf5w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →