CVE-2026-32915 Overview
OpenClaw before version 2026.3.11 contains a sandbox boundary bypass vulnerability that allows leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. This authorization bypass enables a low-privilege sandboxed leaf worker to steer or kill sibling runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control requests.
Critical Impact
A sandboxed leaf worker with minimal privileges can escape its intended boundaries to control sibling processes and execute operations with elevated tool policies, potentially compromising the entire agent orchestration system.
Affected Products
- OpenClaw versions prior to 2026.3.11
- OpenClaw Node.js package (all affected versions)
- Systems utilizing OpenClaw's subagent orchestration framework
Discovery Timeline
- 2026-03-29 - CVE-2026-32915 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-32915
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a fundamental flaw in how OpenClaw validates authorization for subagent control operations. The core issue stems from the subagent control surface failing to properly enforce session tree boundaries, allowing leaf workers to escape their sandboxed execution context.
When a leaf subagent makes a control request, the authorization mechanism incorrectly resolves the request against the parent requester's scope rather than the leaf's own restricted session tree. This architectural flaw means that sandboxed workers can effectively inherit permissions they were never intended to possess, breaking the security model that relies on hierarchical isolation between agent levels.
Root Cause
The root cause lies in insufficient authorization checks within the subagent control request handler. When processing control surface requests from leaf subagents, the system fails to validate that the requester's scope matches their assigned session tree. Instead, the resolution logic traverses upward to the parent requester scope, bypassing the sandbox boundaries designed to isolate leaf workers from accessing sibling processes and elevated tool policies.
Attack Vector
The vulnerability requires local access with low privileges. An attacker operating as a sandboxed leaf worker can craft malicious control requests targeting the subagent control surface. These requests, when processed, resolve against the parent scope rather than the leaf's restricted context, enabling the attacker to:
- Enumerate and interact with sibling subagent runs
- Terminate (kill) sibling processes without proper authorization
- Steer execution flow of other subagents
- Execute operations using broader tool policies than their sandbox permits
The attack does not require user interaction and can be executed by any code running within a leaf subagent context. For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32915
Indicators of Compromise
- Unexpected control surface requests originating from leaf subagent processes
- Anomalous termination of sibling subagent runs without administrator action
- Leaf workers executing operations with tool policies outside their assigned scope
- Session tree boundary violations in subagent orchestration logs
Detection Strategies
- Monitor subagent control surface access patterns for requests from leaf workers attempting to resolve against parent scopes
- Implement logging for all control surface operations with requester scope validation details
- Alert on any leaf subagent attempting to access sibling process information or control endpoints
- Audit tool policy assignments to detect unauthorized policy elevation
Monitoring Recommendations
- Enable detailed logging for the subagent control surface component
- Monitor for session tree traversal anomalies indicating scope resolution bypasses
- Implement real-time alerting for unauthorized cross-boundary control requests
- Review subagent process termination events for unexpected patterns
How to Mitigate CVE-2026-32915
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.11 or later immediately
- Review existing subagent deployments for signs of exploitation
- Audit any systems where untrusted code may execute within leaf subagent contexts
- Consider temporarily restricting leaf subagent capabilities until patching is complete
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.3.11. Organizations should upgrade to this version or later to remediate the sandbox boundary bypass. The security fix implements proper authorization checks that ensure subagent control requests are validated against the requester's own session tree scope rather than traversing to parent contexts.
For complete patch details and upgrade instructions, refer to the GitHub Security Advisory and the VulnCheck Advisory.
Workarounds
- Restrict network and resource access for leaf subagent processes at the operating system level
- Implement additional authorization layers external to OpenClaw for control surface operations
- Run untrusted workloads in isolated environments separate from production subagent deployments
- Monitor and rate-limit control surface requests from leaf workers as a defense-in-depth measure
# Upgrade OpenClaw to patched version
npm update openclaw@2026.3.11
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
