Main Vulnerability Database Vulnerabilities #VU125150

#VU125150 Improper privilege management in OpenClaw - CVE-2026-32915

Published: April 8, 2026

Vulnerability identifier: #VU125150

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32915

CWE-ID: CWE-269

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a local user to bypass sandbox and session-scope boundaries.

The vulnerability exists due to improper privilege management in the subagents control surface when handling subagent control requests. A local user can steer or kill a sibling run to bypass sandbox and session-scope boundaries.

The issue affects sandboxed leaf subagents and arises because control requests are resolved against the parent requester scope instead of the caller's own session tree.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff

#VU125150 Improper privilege management in OpenClaw - CVE-2026-32915

Description

Remediation

External links

Please verify you're human