CVE-2026-53826
MEDIUMOpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn
Title source: cnaDescription
OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context to child models.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-6c4r-g249-wv3c)
https://github.com/openclaw/openclaw/security/advisories/GHSA-6c4r-g249-wv3c
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn
https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-sandboxed-session-spawn
Scores
CVSS v3
4.3
EPSS
0.0018
EPSS Percentile
8.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-668
Status
published
Products (2)
OpenClaw/OpenClaw
< 2026.4.26
OpenClaw/OpenClaw
2026.4.26
Published
Jun 12, 2026
Tracked Since
Jun 13, 2026