GHSA-Q2QC-744P-66R2: OpenClaw session_status Sandbox Bypass via sessionId Resolution

OpenClaw provides an AI personal assistant framework featuring a sandboxed mode. This mode restricts specific agents to their designated session tree. The session_status tool operates within this ecosystem, allowing agents to query the operational state of active sessions.

A vulnerability exists within this tool that compromises the isolation guarantees of the sandbox. The flaw is classified as Improper Authorization (CWE-285) and Insecure Direct Object Reference (CWE-639). It permits a sandboxed subagent to access metadata belonging to parent or sibling sessions.

The core issue stems from an incorrect order of operations during input processing. The session_status tool resolves short session aliases into canonical keys before evaluating security boundaries. This specific sequence leads to a complete bypass of the visibility guard.

The session_status tool accepts a sessionKey parameter to specify the target session. This parameter can be provided as a canonical key (starting with agent:) or a shorter sessionId alias. The system normalizes the input by resolving the alias to its canonical form via the sessions.resolve function.

The visibility guard determines if the requested session falls within the authorized session tree of the querying agent. The logic relies on checking if the input string begins with agent: to decide whether to execute the security check.

The flaw occurs because the resolution step mutates the requestedKeyRaw variable to the canonical agent: format before the guard condition is evaluated. Consequently, the visibility guard checks the mutated string instead of the original input. Because the string was already converted, the condition !requestedKeyRaw.startsWith("agent:") evaluates to false. The security check is skipped entirely for any input that originated as a short alias.

The vulnerable implementation modifies the input variable before the security check occurs. This architectural mistake allows aliases to bypass the authorization requirements.

// Vulnerable Implementation
// Resolution block rewrites requestedKeyRaw to an explicit "agent:..." key
if (resolved && !requestedKeyRaw.startsWith("agent:")) {
    requestedKeyRaw = resolved.key;
}
 
// Flawed guard check: requestedKeyRaw now starts with "agent:", so check is skipped
if (visibilityGuard && !requestedKeyRaw.startsWith("agent:")) {
    visibilityGuard.check(normalizeVisibilityTargetSessionKey(resolved.key, agentId));
}

The patch introduced in commit d9810811b6c3c9266d7580f00574e5e02f7663de introduces a boolean flag named isExplicitAgentKey. This flag stores the original state of the input before any mutation takes place.

// Patched Implementation
const isExplicitAgentKey = requestedKeyRaw.startsWith("agent:");
 
// Resolution uses the pre-resolution flag
if (resolved && !isExplicitAgentKey) {
    requestedKeyRaw = resolved.key;
}
 
// Correct guard check using the pre-resolution flag
if (visibilityGuard && !isExplicitAgentKey) {
    const access = visibilityGuard.check(
      normalizeVisibilityTargetSessionKey(resolved.key, agentId),
    );
    // ... handle access
}

This fix ensures the guard logic evaluates the original input type rather than the post-resolution string. The implementation fully resolves the logic flow error, preventing alias-based inputs from bypassing the visibility check.

An attacker controlling a sandboxed subagent must first identify or guess a valid sessionId outside their authorized tree. The sessionId format typically follows a predictable string structure. This predictability reduces the complexity of acquiring a valid target alias.

The attacker invokes the session_status tool using the target sessionId alias instead of the canonical agent: key. The system accepts the alias and resolves it internally. The mutated string causes the application to bypass the visibility guard logic.

The tool subsequently returns the status metadata for the unauthorized session. The official OpenClaw test suite includes a proof-of-concept demonstrating this execution path. The exploit requires no special network position, only standard access to the sandboxed agent environment.

// PoC execution triggering the bypass
const tool = getSessionStatusTool("agent:main:subagent:child", {
  sandboxed: true,
});
 
// Providing the alias 's-parent' bypasses the guard
await tool.execute("call7-parent-session-id", {
  sessionKey: "s-parent",
});

Successful exploitation results in unauthorized read access to session metadata. The attacker successfully breaches the logical isolation provided by the OpenClaw sandbox.

The exposed metadata pertains to parent or sibling sessions that operate outside the restricted environment. While the vulnerability does not directly grant arbitrary code execution, it exposes internal state information. This disclosure aids an attacker in mapping the broader OpenClaw architecture and session hierarchy.

The confidentiality impact is constrained to session status metadata. The integrity and availability of the system remain unaffected. The vulnerability requires existing access to a sandboxed agent, limiting the initial attack vector to authenticated or internally provisioned contexts.

The vulnerability is addressed in OpenClaw version 2026.3.25 and fully resolved in version 2026.3.26. Organizations must upgrade the openclaw npm package to version 2026.3.26 or later to ensure complete remediation.

If immediate patching is unfeasible, administrators can apply a configuration workaround. The session_status tool can be explicitly disabled for sandboxed agents. This is achieved by modifying the agents.list[].tools array in the environment configuration to omit the vulnerable tool.

Detection engineering efforts should monitor tool execution traces. Defenders should alert on session_status tool invocations where the sessionKey parameter utilizes a short alias format instead of the standard canonical structure.