Cyber Resilience

CVE-2026-32915

CriticalPublic PoC

Published: 29 March 2026

Published
29 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32915 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-32915 is a sandbox boundary bypass vulnerability affecting OpenClaw versions before 2026.3.11. The issue arises from insufficient authorization checks on subagent control requests (CWE-863), which allow leaf subagents to access the subagents control surface and resolve requests against the parent requester scope instead of their own session tree.

A local attacker with low privileges can exploit this vulnerability without user interaction and with low attack complexity. Exploitation enables a low-privilege sandboxed leaf worker to steer or kill sibling runs and cause execution with broader tool policies, leading to high impacts on confidentiality, integrity, and availability due to the changed scope. The CVSS v3.1 base score is 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Advisories recommend updating to OpenClaw 2026.3.11 or later to address the vulnerability. Relevant references include the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-subagent-control-surface.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling…

more

runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Sandbox boundary bypass via improper authorization (CWE-863) on subagent control requests directly enables a low-privileged local process to obtain broader execution scope and affect sibling runs, matching exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42429Same product: Openclaw Openclaw
CVE-2026-33579Same product: Openclaw Openclaw
CVE-2026-33577Same product: Openclaw Openclaw
CVE-2026-41404Same product: Openclaw Openclaw
CVE-2026-41344Same product: Openclaw Openclaw
CVE-2026-42432Same product: Openclaw Openclaw
CVE-2026-32918Same product: Openclaw Openclaw
CVE-2026-41371Same product: Openclaw Openclaw
CVE-2026-41379Same product: Openclaw Openclaw
CVE-2026-32972Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on subagent control requests to prevent low-privilege leaf workers from accessing parent requester scope.

prevent

Implements a tamper-proof reference monitor to mediate all accesses to the subagents control surface, ensuring enforcement of sandbox boundaries.

prevent

Maintains process isolation between sandboxed leaf subagents and siblings to block unauthorized control surface interactions and scope resolution.

References