GHSA-4w7m-58cg-cmff
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4w7m-58cg-cmff
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-4w7m-58cg-cmff/GHSA-4w7m-58cg-cmff.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4w7m-58cg-cmff
- Downstream
- Published
- 2026-03-13T15:47:34Z
- Modified
- 2026-03-14T08:48:06.677388Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries
- Details
-
Summary
In affected versions of
openclaw, sandboxed leaf subagents could still access thesubagentscontrol surface and resolve against the parent requester scope instead of remaining confined to their own session tree.Impact
A low-privilege sandboxed leaf worker could steer or kill a sibling run owned by the same requester and cause that sibling to execute with its own broader tool policy. This is a sandbox and session-scope boundary bypass.
Affected Packages and Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.8 - Fixed in:
2026.3.11
Technical Details
Leaf subagents retained the
subagentstool, and subagent control requests were authorized against the parent requester scope rather than the caller's own spawned descendants. The control path prevented only self-targeting, not cross-sibling steering.Fix
OpenClaw now removes
subagentscontrol access from leaf subagents by default, scopes subagent control to the caller's own descendants, and rejectssteerandkillrequests that target runs outside that descendant tree. The fix shipped inopenclaw@2026.3.11.Workarounds
Upgrade to
2026.3.11or later. - Package:
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-13T15:47:34Z", "cwe_ids": [ "CWE-269" ], "severity": "HIGH", "nvd_published_at": null }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw