Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
OpenClaw: Unauthorized Access to Host ACP Sessions Possible
GHSA-9q36-67vc-rrwg
Summary
A security issue in OpenClaw allows unauthorized users to access the host's ACP sessions from a sandboxed environment. This could allow a malicious user to access sensitive information or take control of the host's ACP sessions. To fix this issue, update OpenClaw to version 2026.3.7 or later.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.7 | 2026.3.7 |
Original title
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
Original description
### Summary
Sandboxed requester sessions could reach host-side ACP session initialization through `/acp spawn`.
OpenClaw already blocked `sessions_spawn({ runtime: "acp" })` from sandboxed sessions, but the slash-command path initialized ACP directly without applying the same host-runtime guard first.
### Affected Packages / Versions
- npm package: `openclaw`
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
### Details
ACP sessions run on the host, not inside the OpenClaw sandbox. The direct ACP spawn path in `src/agents/acp-spawn.ts` already denied sandboxed requesters, but `/acp spawn` in `src/auto-reply/reply/commands-acp/lifecycle.ts` called `initializeSession(...)` without first applying the same restriction.
In affected versions, an already authorized sender in a sandboxed session could use `/acp spawn` to cross from sandboxed chat context into host-side ACP runtime initialization when ACP was enabled and a backend was available.
### Fix Commit(s)
- `61000b8e4ded919ca1a825d4700db4cb3fdc56e3`
### Fix Details
The fix introduced a shared ACP runtime-policy guard in `src/agents/acp-spawn.ts` and reused it from the `/acp spawn` handler in `src/auto-reply/reply/commands-acp/lifecycle.ts` before any ACP backend initialization. Regression coverage was added in `src/auto-reply/reply/commands-acp.test.ts` to prove sandboxed `/acp spawn` requests are rejected early, while existing ACP spawn behavior for non-sandboxed sessions remains unchanged.
### Release Process Note
Patched version is pre-set to `2026.3.7` so the advisory can be published once that npm release is available.
Thanks @tdjackey for reporting.
Sandboxed requester sessions could reach host-side ACP session initialization through `/acp spawn`.
OpenClaw already blocked `sessions_spawn({ runtime: "acp" })` from sandboxed sessions, but the slash-command path initialized ACP directly without applying the same host-runtime guard first.
### Affected Packages / Versions
- npm package: `openclaw`
- Affected versions: `<= 2026.3.2`
- Patched version: `>= 2026.3.7`
### Details
ACP sessions run on the host, not inside the OpenClaw sandbox. The direct ACP spawn path in `src/agents/acp-spawn.ts` already denied sandboxed requesters, but `/acp spawn` in `src/auto-reply/reply/commands-acp/lifecycle.ts` called `initializeSession(...)` without first applying the same restriction.
In affected versions, an already authorized sender in a sandboxed session could use `/acp spawn` to cross from sandboxed chat context into host-side ACP runtime initialization when ACP was enabled and a backend was available.
### Fix Commit(s)
- `61000b8e4ded919ca1a825d4700db4cb3fdc56e3`
### Fix Details
The fix introduced a shared ACP runtime-policy guard in `src/agents/acp-spawn.ts` and reused it from the `/acp spawn` handler in `src/auto-reply/reply/commands-acp/lifecycle.ts` before any ACP backend initialization. Regression coverage was added in `src/auto-reply/reply/commands-acp.test.ts` to prove sandboxed `/acp spawn` requests are rejected early, while existing ACP spawn behavior for non-sandboxed sessions remains unchanged.
### Release Process Note
Patched version is pre-set to `2026.3.7` so the advisory can be published once that npm release is available.
Thanks @tdjackey for reporting.
osv CVSS3.1
5.9
Vulnerability type
CWE-284
Improper Access Control
CWE-693
Protection Mechanism Failure
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026