OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility

Summary

session_status sessionId resolution bypasses sandboxed session-tree visibility

Affected Packages / Versions

Package: openclaw
Affected versions: >= 2026.3.11, <= 2026.3.24
First patched version: 2026.3.25
Latest published npm version at verification time: 2026.3.24

Details

session_status previously resolved a sessionId to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit sessionKey. Commit d9810811b6c3c9266d7580f00574e5e02f7663de enforces visibility after sessionId resolution so sandboxed callers cannot escape their session tree.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit d9810811b6c3c9266d7580f00574e5e02f7663de.

Fix Commit(s)

d9810811b6c3c9266d7580f00574e5e02f7663de

References

steipete published to openclaw/openclaw Mar 26, 2026

Published to the GitHub Advisory Database Mar 29, 2026

Reviewed Mar 29, 2026

Last updated Mar 29, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

Affected Packages / Versions

Details

Fix Commit(s)

References

Severity

EPSS score

Weaknesses

Authorization Bypass Through User-Controlled Key

Incorrect Authorization

CVE ID

GHSA ID

Source code

Credits

Uh oh!