GHSA-fwjq-xwfj-gv75: openclaw: auth bypass exposes agent session visibility

Published April 7, 2026

CISO Take

openclaw versions through 2026.3.28 contain an incorrect authorization flaw (CWE-863) where session_status calls made in non-sandboxed invocation contexts skip the shared tools.sessions.visibility guard entirely, allowing an agent to observe sessions that policy should restrict. The scope is limited to same-agent session-policy bypass rather than a host boundary escape, which tempers immediate severity, but session isolation is a foundational trust boundary in multi-tenant or multi-session AI agent deployments — and with 37 CVEs filed against openclaw this represents a sustained pattern of security debt in this framework worth escalating. No public exploit exists and the vulnerability is absent from CISA KEV, but the documented AIID #1368 incident — where malicious openclaw skills exfiltrated credentials via ClawHub — demonstrates that session-level access violations in this ecosystem translate to real-world credential compromise. Patch to 2026.3.31 immediately; there is no viable workaround for unfixed versions beyond disabling session_status tooling entirely.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

Medium risk with elevated context for AI agent deployments. Exploitability requires same-agent access and knowledge of unsandboxed invocation paths — not trivially scriptable, but not requiring deep expertise. Impact is bounded by session data exposure (not arbitrary code execution or host escape), but in agent frameworks where sessions carry conversation context, tool credentials, or user PII, visibility bypass can enable meaningful data harvest. The 37-CVE history of this package is a significant hygiene signal for security teams evaluating openclaw in production.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.3.28	`2026.3.31`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade openclaw to >= 2026.3.31 immediately. The fix is shipped and available.
Verify: Confirm your deployment is running 2026.3.31 via `npm list openclaw` or `pip show openclaw`.
Audit: Review session logs for unexpected session_status calls outside expected sandboxed invocation paths — anomalous cross-session reads are the primary indicator of exploitation.
Containment: If upgrade is not immediately possible, disable or remove session_status tool access from non-sandboxed agent configurations as a temporary workaround.
Broader posture: Given 37 CVEs against openclaw, evaluate whether this package meets your AI supply chain security standards and consider alternatives if the vulnerability cadence is unacceptable.

Classification

Auth Bypass Data Extraction Agent Framework AML.T0053 - AI Agent Tool Invocation AML.T0084 - Discover AI Agent Configuration AML.T0085 - Data from AI Services AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

8.4 - AI System Controls

NIST AI RMF

GOVERN-1.2 - Accountability and Transparency

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents credential exfiltration via malicious openclaw skills in the ClawHub ecosystem. A session visibility bypass in the same package directly enables this failure mode — an attacker with skill execution access could use unauthorized session_status reads to harvest session-cached credentials without triggering the operator's intended access controls.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` — 2026-03-30T16:48:12+02:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @tdjackey for reporting.

Exploitation Scenario

An adversary who has achieved AI agent tool invocation capability (via prompt injection, a malicious skill, or legitimate access escalation) calls session_status outside of a sandboxed invocation context. Because the unsandboxed code path skips the visibility guard check, the call returns session metadata and context for sessions the agent is not authorized to access. In a multi-user deployment, this allows the adversary to enumerate active sessions, extract conversation history, retrieve cached credentials or API tokens stored in session state, and map user activity patterns — all without triggering the authorization controls the operator configured. In the context of AIID #1368, this mechanism would complement malicious skill deployment: a poisoned skill invokes session_status unsandboxed, harvests session tokens, and exfiltrates them via a secondary tool call.