A high-severity vulnerability in the OpenClaw npm package exposes users to a sandbox escape attack. Versions from 2026.3.11 to 2026.3.24 let sandboxed child sessions bypass visibility restrictions and access parent or sibling sessions via the session_status function. Developers must update immediately to 2026.3.25 or later, where commit d9810811b6c3c9266d7580f00574e5e02f7663de fixes the issue.
OpenClaw handles session management in sandboxed environments, likely for multi-tenant web apps, PWAs, or server-side systems enforcing hierarchical session trees. These trees isolate sessions—parents oversee children, but siblings and unrelated branches stay hidden. The flaw breaks this model. Previously, session_status checked visibility before resolving a sessionId to its canonical sessionKey. Sandboxed callers exploited this to reach blocked sessions by supplying crafted IDs.
Vulnerability Breakdown
The core problem lies in the order of operations. In vulnerable code, early visibility checks ran before sessionId resolution. A sandboxed child could pass a parent or sibling ID, pass the initial check, then resolve to unauthorized data. The fix in commit d9810811b6c3c9266d7580f00574e5e02f7663de flips this: it resolves the ID first, then enforces visibility on the canonical key. Verified vulnerable on tag v2026.3.24; the patch lands cleanly on the main branch.
At verification, npm’s latest OpenClaw release stood at 2026.3.24—still vulnerable. The patched 2026.3.25 awaits publication, so pull from GitHub or build from source if urgent. No public exploits surfaced yet, but the simplicity invites quick weaponization. Check your package.json: run
npm ls openclawto confirm versions across dependencies.
Why This Matters
Sandbox isolation underpins secure multi-user systems. In finance or crypto apps—where Njalla operates—this breach means a compromised low-privilege session grabs high-value data from parents, like API keys, wallet states, or transaction histories. Imagine a shared backend: tenant A’s sandboxed script queries tenant B’s balances via sibling session_status calls. Escalation potential runs high if sessions tie to auth tokens or database access.
Broader context: npm hosts over 2 million packages; session managers like OpenClaw power thousands of apps. Version jumps to 2026 suggest a forward-dated scheme, possibly for testing or internal versioning, but it doesn’t dilute the risk. Similar flaws hit libraries before—recall Redis sandbox escapes or Docker container breaks. Attackers scan npm deps aggressively; tools like Snyk or GitHub Dependabot flag these, but manual audits catch order-of-check bugs like this.
Implications extend to compliance. GDPR, PCI-DSS, or SOC 2 demand strict data isolation. One bypass audit failure cascades to fines or breaches. In crypto, where sessions often proxy wallet ops, this leaks private keys or seeds if poorly scoped. Skeptically, OpenClaw’s niche status limits blast radius—few dependents—but if your stack uses it, assume compromise until patched.
Action Steps
Update now:
npm install openclaw@2026.3.25or later. If unpublished, clone the repo and checkout post-commit:
git clone https://github.com/[owner]/openclaw.git
cd openclaw
git checkout d9810811b6c3c9266d7580f00574e5e02f7663de
npm installAudit usage: grep for session_status in your codebase. Replace naive ID passes with explicit sessionKey checks. Test sandbox escapes: spin up a tree, block visibility, probe from children. Monitor logs for anomalous resolutions. Fair credit to maintainers—single-commit fix shows competence—but versions lag publication, a red flag for supply-chain trust.
Bottom line: Patch closes a textbook visibility bypass. Delay risks real escapes. In security, order matters; here, it broke isolation. Stay vigilant—npm advisories like this underscore why you lock deps and audit deps-of-deps.
