Primary

Context

OpenClaw Sandbox Boundary Bypass Vulnerability in Subagents Control Surface

Vulnerability

A sandbox boundary bypass vulnerability has been identified in OpenClaw versions prior to 2026.3.11. This vulnerability allows leaf subagents to access the subagents control surface and resolve against the parent requester scope, rather than their own session tree. As a result, a low-privilege, sandboxed leaf worker could manipulate or terminate sibling runs and execute tasks with broader tool policies, exploiting inadequate authorization checks on subagent control requests.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of sibling subagent runs, including the ability to terminate them or cause them to execute with elevated tool privileges. This represents a significant bypass of sandbox and session-scope boundaries.

Remediation

Users are advised to upgrade to OpenClaw version 2026.3.11 or later.

Added: Mar 29, 2026, 1:31 PM

Updated: Mar 29, 2026, 1:31 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

2.9

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

2.9

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Sandbox Boundary Bypass Vulnerability in Subagents Control Surface

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating