CVE-2026-35636 HIGH

CVE-2026-35636: OpenClaw 2026.3.11 < 2026.3.25 - Session Isolation Bypass via sessionId Resolution

Vendor Openclaw
Product OpenClaw
Weakness CWE-696
Published April 9, 2026
Last update May 25, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
May 25, 2026 Record updated