CVE-2026-53826

Summary

OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context to child models.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.4.26affected
OpenClawOpenClaw2026.4.26unaffected

Weaknesses

  • CWE-668: Exposure of Resource to Wrong Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References