CVE-2026-44997 Overview
CVE-2026-44997 is a security envelope constraint bypass vulnerability in OpenClaw versions prior to 2026.4.22. The flaw allows restricted subagents to spawn Agent Communication Protocol (ACP) child sessions that fail to inherit envelope constraints from the parent subagent. Child sessions do not honor depth limits, child-count limits, control scope, or target-agent restrictions. An attacker operating within a restricted subagent context can spawn child sessions that bypass the original subagent-only constraints. This can lead to privilege escalation or unauthorized access to restricted resources. The vulnerability is categorized under [CWE-266: Incorrect Privilege Assignment].
Critical Impact
Restricted subagents can escape envelope constraints by spawning ACP child sessions, enabling access to tools and targets outside the intended security boundary.
Affected Products
- OpenClaw versions prior to 2026.4.22
- Deployments running OpenClaw on Node.js
- Environments using ACP subagent sessions with envelope constraints
Discovery Timeline
- 2026-05-11 - CVE CVE-2026-44997 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44997
Vulnerability Analysis
OpenClaw implements a security envelope around subagent sessions to restrict tool access, recursion depth, and target-agent reach. The vulnerability arises because ACP child sessions spawned from a restricted subagent do not inherit the parent's envelope. The child session is treated as a fresh context rather than a continuation of a constrained one. As a result, control scope and target-agent restrictions are silently dropped at the session boundary. The exploitability requires low privileges and a present attack requirement, with the impact limited to integrity within the same scope.
Root Cause
The root cause lies in the subagent capability resolution logic in src/agents/pi-tools.policy.ts and src/agents/pi-embedded-runner/effective-tool-policy.ts. Session identity checks relied on isSubagentSessionKey, which only inspects the session key shape rather than confirming whether the session operates inside an active subagent envelope. ACP child sessions inherit a different key shape, so the policy resolver fails to apply stored subagent capabilities. The fix introduces isSubagentEnvelopeSession and resolveSubagentCapabilityStore to anchor enforcement to the envelope rather than the key.
Attack Vector
An attacker with access to a restricted subagent context issues an ACP request to spawn a child session. Because the child session is not recognized as part of the envelope, the effective tool policy resolves to the unrestricted group or global policy. The attacker invokes tools, target agents, or recursion paths that the parent envelope explicitly denied.
// Patch excerpt: src/agents/pi-embedded-runner/effective-tool-policy.ts
import type { OpenClawConfig } from "../../config/types.openclaw.js";
import { getPluginToolMeta } from "../../plugins/tools.js";
-import { isSubagentSessionKey } from "../../routing/session-key.js";
import {
resolveEffectiveToolPolicy,
resolveGroupContextFromSessionKey,
resolveGroupToolPolicy,
resolveSubagentToolPolicyForSession,
} from "../pi-tools.policy.js";
+import {
+ isSubagentEnvelopeSession,
+ resolveSubagentCapabilityStore,
+} from "../subagent-capabilities.js";
// Source: https://github.com/openclaw/openclaw/commit/31160dc069b7cc5d833b39c53736a41ad3befda2
Detection Methods for CVE-2026-44997
Indicators of Compromise
- ACP child session creation events originating from sessions tagged as subagent-restricted
- Tool invocations on child sessions that exceed the parent subagent's allowed tool list
- Recursion depth or child-count metrics exceeding the configured envelope limits
Detection Strategies
- Audit OpenClaw session logs for spawn events where parent session is a subagent and child session executes out-of-policy tools
- Compare effective tool policy resolved per session against the subagent capability store to flag divergence
- Monitor for target-agent invocations from child sessions that the parent envelope did not authorize
Monitoring Recommendations
- Enable verbose logging on resolveEffectiveToolPolicy and resolveSubagentToolPolicyForSession code paths
- Track ACP child session lineage and assert envelope inheritance on every policy resolution
- Alert when session depth or child-count exceeds documented subagent limits
How to Mitigate CVE-2026-44997
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.22 or later
- Inventory all deployments running OpenClaw on Node.js and confirm the patched commit 31160dc is present
- Review existing subagent configurations and audit recent ACP child session activity for policy violations
Patch Information
The fix is delivered in commit 31160dc069b7cc5d833b39c53736a41ad3befda2, which enforces subagent envelope inheritance on ACP child sessions. The patch replaces session-key shape checks with envelope-aware checks via isSubagentEnvelopeSession and resolveSubagentCapabilityStore. Refer to the GitHub Security Advisory GHSA-q3jj-46pq-826r and the VulnCheck Advisory for additional details.
Workarounds
- Disable ACP child session spawning from subagent contexts until the patch is applied
- Restrict subagent tool policies at the group level so escape still yields minimal capability
- Reject ACP requests originating from sessions whose key shape does not match the active envelope
# Update to the patched release
npm install openclaw@2026.4.22
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
