cvedb.io
CVE-2026-35636
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-04-09T22:16:32.750 · Last modified 2026-06-17T10:40:56.010

Summary

OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.

Affected products

openclaw — openclaw

Does this affect you?

Add your gear to cvedb and we'll alert you only when openclaw ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.