Search for vulnerabilities
| Vulnerability ID | VCID-9yxw-fj1c-tff9 |
| Aliases |
GHSA-q2qc-744p-66r2
|
| Summary | OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility ## Summary `session_status` sessionId resolution bypasses sandboxed session-tree visibility ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `>= 2026.3.11, <= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details `session_status` previously resolved a `sessionId` to a canonical session key after early visibility checks, letting sandboxed children reach parent or sibling sessions that were blocked by explicit `sessionKey`. Commit `d9810811b6c3c9266d7580f00574e5e02f7663de` enforces visibility after `sessionId` resolution so sandboxed callers cannot escape their session tree. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d9810811b6c3c9266d7580f00574e5e02f7663de`. ## Fix Commit(s) - `d9810811b6c3c9266d7580f00574e5e02f7663de` |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 8.0 |
| Risk | 4.0 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | HIGH | https://github.com/advisories/GHSA-q2qc-744p-66r2 |
| generic_textual | HIGH | https://github.com/openclaw/openclaw |
| generic_textual | HIGH | https://github.com/openclaw/openclaw/commit/d9810811b6c3c9266d7580f00574e5e02f7663de |
| cvssv3.1_qr | HIGH | https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2 |
| generic_textual | HIGH | https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2 |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-04T16:57:43.737133+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q2qc-744p-66r2/GHSA-q2qc-744p-66r2.json | 38.6.0 |