Nixpkgs security tracker

Dismissed

Permalink CVE-2026-32918

8.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 2 months, 2 weeks ago by @mweinelt Activity log

Created suggestion 2 months, 3 weeks ago
@mweinelt dismissed 2 months, 2 weeks ago

OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.

References

GitHub Security Advisory (GHSA-wcxr-59v9-rxr8) third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool third-party-advisory

Affected products

OpenClaw

==2026.3.11
<2026.3.11

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable 2026.3.12
- nixpkgs-unstable 2026.3.12
- nixos-unstable-small 2026.3.12

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Fixed in https://github.com/nixos/nixpkgs/pull/499141

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers