Home / Vulnerability Intelligence / CVE-2026-32918

CVE-2026-32918 - Vulnerability Analysis

HighCVSS: 8.4

Last Updated: March 31, 2026

OpenClaw - Broken Access Control

Published: March 29, 2026Updated: March 31, 2026

Overview

OpenClaw < 2026.3.11 contains a sandbox escape vulnerability caused by improper sessionKey validation in the session_status tool, letting sandboxed subagents read or modify parent or sibling session state, exploit requires attacker to supply arbitrary sessionKey values.

Severity & Score

Severity: High

CVSS Score: 8.4

EPSS Score: 1.1%(Probability of exploitation in next 30 days)

Impact

Attackers can read or modify session data outside their sandbox, potentially leading to unauthorized data access or tampering.

Mitigation

Update to version 2026.3.11 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 29, 2026

🟠 CVE-2026-32918 - High (8.4) OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify sess... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32918/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32918
Severity: High
CVSS Score: 8.4
Type: broken_access_control
Status: confirmed
EPSS: 1.1%
Social Posts: 1

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score

1.1%Probability of exploitation in the next 30 days