CVE-2026-32915

HIGH

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control requests.

CVSS v3.1 Score

8.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
LOCAL
Complexity
LOW
Privileges
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 3/29/2026Modified: 3/31/2026

Related Intelligence (1)

HIGHVulnerability

NVD HIGH: CVE-2026-32915 — OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allow...

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control

CVE-2026-32915
NIST NVD

References (2)

https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmffVendor Advisoryhttps://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-subagent-control-surfaceThird Party Advisory