VYPR
Medium severity6.5NVD Advisory· Published Apr 9, 2026· Updated Apr 16, 2026

CVE-2026-35636

CVE-2026-35636

Description

OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • OpenClaw/Openclaw2 versions
    cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*+ 1 more
    • cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*range: >=2026.3.11,<2026.3.25
    • (no CPE)range: >=2026.3.11, <=2026.3.24

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.