Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 3 npm packages depend on openclaw (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.11.
DescriptionCVE.org
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control requests.
AnalysisAI
Sandbox escape in OpenClaw versions before 2026.3.11 enables low-privilege leaf subagents to bypass isolation boundaries and manipulate sibling processes with elevated tool policies. Local authenticated attackers can terminate competing worker threads, redirect execution flows, and execute operations outside their intended security context by exploiting insufficient authorization on subagent control APIs. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though the technical advisory provides detailed vulnerability mechanics.
Technical ContextAI
OpenClaw implements a hierarchical subagent architecture where leaf workers operate in sandboxed execution contexts with restricted tool policies and isolated session trees. The vulnerability exists in the subagent control surface authorization layer, which fails to validate that control requests originate from appropriately scoped parent contexts. CWE-863 (Incorrect Authorization) manifests here as missing access control checks on inter-agent communication primitives. When a leaf subagent issues control commands (terminate, redirect, policy override), the system resolves these against the parent requester's scope rather than enforcing the leaf's own session boundary. This architectural flaw violates the principle of least privilege in multi-tenant agent orchestration systems, where each subagent should only control resources within its delegated security domain. The affected component is the request routing and authorization middleware that handles cross-agent RPC calls in the OpenClaw runtime.
RemediationAI
Upgrade immediately to OpenClaw version 2026.3.11 or later, which implements proper authorization checks on subagent control surface requests. The patch enforces scope validation to ensure leaf workers cannot issue control commands outside their delegated session trees. Organizations should verify that subagent control requests are authenticated against the originating context rather than parent scope after upgrade. Detailed remediation guidance is available in the vendor's security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff and comprehensive analysis at https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-subagent-control-surface. No workarounds are documented; patching is the only effective mitigation. Post-upgrade, audit existing subagent configurations to ensure least-privilege tool policies are correctly enforced at each hierarchy level.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16997