CVE-2026-35662

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22

Description The issue involves a failure to enforce controlScope restrictions on the send action within OpenClaw. This allows leaf subagents to send messages to child sessions beyond their authorized scope, bypassing intended access control restrictions. The send action does not properly validate scope, enabling unauthorized communication with child sessions. The fix involves threading controller context through the send path and blocking send attempts unless the requester owns the target and has controlScope set to 'children'.

Recommendations Update to version 2026.3.22 or later.