GHSA-WCXR-59V9-RXR8: Sandbox Escape via Improper Authorization in OpenClaw session_status Tool

OpenClaw utilizes a hierarchical architecture where main agents can spawn sandboxed subagents to perform specific, isolated tasks. These subagents are intentionally restricted to their own session context to prevent unauthorized access to the broader system or the parent agent's state.

The built-in session_status tool provides agents with the ability to query session metadata and execution status. A vulnerability exists within this tool due to improper authorization checks. The tool accepts a sessionKey parameter to determine which session to query but fails to enforce session-visibility boundaries.

Without proper access control validation, a sandboxed subagent can supply the sessionKey of a parent or sibling session to the session_status tool. The tool processes the request and returns the target session's state to the unauthorized subagent.

This behavior constitutes a sandbox escape (CWE-693). The subagent breaches its restricted context, gaining the ability to inspect or influence sessions that should be strictly inaccessible.

The underlying flaw resides in the implementation of the session_status tool, located in src/agents/tools/session-status-tool.ts. The code processes the optional sessionKey parameter strictly as a routing selector rather than an authorization token.

When a sessionKey is provided, the tool retrieves the session state associated with that specific key from the underlying data store. However, the implementation lacks a mandatory validation step to verify the relationship between the calling agent and the requested session.

The system fails to check if the caller possesses a valid "parent-child" or explicitly shared relationship with the target sessionKey. Consequently, the tool blindly trusts the input and returns the data to whichever agent issued the request.

Exploitation of this root cause is highly reliable because parent session keys frequently follow predictable naming conventions, such as agent:main:user:123. In many OpenClaw configurations, these keys are also inadvertently exposed to subagents via environment variables or shared metadata.

In versions prior to v2026.3.11, the session_status tool queried the session data without verifying ownership. The vulnerable logic simply extracted the sessionKey from the tool parameters and passed it to the state manager.

The official patch (PR #43754) introduces explicit session-tree visibility checks. The updated implementation intercepts the tool execution and validates that the requested sessionKey belongs to either the caller's own session or a direct descendant in the agent's task tree.

// Pseudo-code representation of the patch logic
const requestedKey = parameters.sessionKey || currentAgent.sessionKey;
 
// Added Validation Guard
if (!SessionTree.isDescendantOrSelf(currentAgent.sessionKey, requestedKey)) {
  if (!PolicyGuard.hasExplicitSharedAccess(currentAgent, requestedKey)) {
    throw new Error("Unauthorized access to session state");
  }
}
 
const sessionData = await StateManager.getSession(requestedKey);

Furthermore, the patch implements an owner-only marking system for sensitive data nodes. Even when an authorized agent queries a valid session, high-privileged metadata such as provider API keys are redacted from the status output, ensuring a defense-in-depth approach against data leakage.

Exploitation requires an attacker to control the execution flow of a subagent within the OpenClaw environment. This scenario typically arises when a main agent spawns a subagent to process untrusted input or perform external research tasks.

The attacker first instructs the subagent to identify the parent session key. The subagent can achieve this by inspecting its local environment variables or by guessing the key based on predictable sequential naming conventions.

Once the target sessionKey is identified, the subagent invokes the session_status tool using a standard tool-call payload. The attacker crafts the parameters to explicitly target the parent session.

{
  "tool": "session_status",
  "parameters": {
    "sessionKey": "agent:main:user:123"
  }
}

The tool processes the unauthorized request and returns the full state of the main agent's session. The subagent receives this sensitive data, completing the access control bypass and sandbox escape.

The vulnerability carries a critical CVSS score of 9.9. The "Scope: Changed" (S:C) metric accurately reflects the subagent's ability to compromise the parent system context, breaking the fundamental isolation guarantees of the OpenClaw architecture.

Successful exploitation results in severe data leakage. The unauthorized subagent gains direct read access to the parent session's state. This state typically contains highly sensitive information, including provider API keys, previous conversation histories, and internal configuration parameters.

Beyond data exposure, the leaked information can enable further attacks. An attacker can leverage extracted API keys or configuration data to manipulate the parent agent's execution context, escalate privileges, or move laterally within the deployment environment.

> [!NOTE] > The EPSS score for this vulnerability is currently low (0.04%). This reflects a lack of observed exploitation in the wild at the time of publication, but the availability of a functional Proof of Concept dictates immediate remediation.

The primary and most effective remediation is to upgrade OpenClaw to version v2026.3.11. This release incorporates the necessary access control validation, session-tree checks, and data redaction mechanisms required to secure the session_status tool.

For environments where immediate patching is not possible, administrators must implement policy-based mitigations. Security teams should audit the src/agents/pi-tools.policy.ts configuration file to review tool assignment policies.

Administrators must restrict the availability of the session_status tool. Ensure the tool is only granted to trusted agents that strictly require it for operational purposes, and explicitly remove it from the tool profiles of any untrusted or externally-facing subagents.

Finally, organizations should monitor tool execution logs for anomalous cross-session access attempts. Invocations of the session_status tool where the sessionKey parameter differs from the caller's context should trigger immediate security alerts.