#VU125188 Improper Authorization in OpenClaw
Published: April 8, 2026
Vulnerability identifier: #VU125188
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote user to send messages to controlled child sessions outside intended authorization scope.
The vulnerability exists due to improper authorization in the send action for subagent sessions when processing send requests from leaf subagents with a narrower controlScope than their children. A remote user can send a crafted message request to send messages to controlled child sessions outside intended authorization scope.
The issue affects leaf subagents that can use the send action against controlled child sessions despite a narrower controlScope.
Remediation
Install security update from vendor's website.