Medium severity6.5NVD Advisory· Published Apr 9, 2026· Updated Apr 16, 2026

CVE-2026-35636

Description

OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.

Affected products

OpenClaw/Openclaw
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Range: >=2026.3.11,<2026.3.25

Patches

d9810811b6c3

https://github.com/openclaw/openclawvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/openclaw/openclaw/commit/d9810811b6c3c9266d7580f00574e5e02f7663denvdPatch
github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2nvdVendor Advisory
www.vulncheck.com/advisories/openclaw-session-isolation-bypass-via-sessionid-resolutionnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000