Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Bug] Exec approval follow-up can leak into a new session after /new because it rebinds by sessionKey instead of original sessionId [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#59349Fetched 2026-04-08 02:25:38
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
two3protwo3pro
Participants
two3protwo3pro

If a session has a pending exec approval and the user starts a new session with /new or /reset before that approval resolves, the eventual approval follow-up can be delivered into the new session. This shows up as unrelated stale approval messages, Exec denied, or continuation text in a fresh conversation.

Error Message

The exec approval follow-up is effectively routed by logical sessionKey. After /new or /reset, the same sessionKey can point to a new sessionId, so when the old approval finishes its follow-up can land in the new session transcript.

Root Cause

The follow-up path only tracked sessionKey, not the original sessionId that was active when the exec request was created.

RAW_BUFFERClick to expand / collapse

Summary

If a session has a pending exec approval and the user starts a new session with /new or /reset before that approval resolves, the eventual approval follow-up can be delivered into the new session. This shows up as unrelated stale approval messages, Exec denied, or continuation text in a fresh conversation.

Affected version

OpenClaw 2026.3.31

Observed behavior

The exec approval follow-up is effectively routed by logical sessionKey. After /new or /reset, the same sessionKey can point to a new sessionId, so when the old approval finishes its follow-up can land in the new session transcript.

Expected behavior

The follow-up should stay bound to the original session instance. Once that sessionKey has been rebound to a different sessionId, stale follow-ups should be dropped instead of being delivered into the new session.

Reproduction

  1. Start a session for an agent with a stable sessionKey.
  2. Trigger a tool execution that requires approval and leave it pending.
  3. Before approving or denying it, send /new or /reset, creating a new sessionId under the same logical session key.
  4. Approve or deny the old request.
  5. Observe that the new session can receive the old approval follow-up or stale approval-related output.

Root cause

The follow-up path only tracked sessionKey, not the original sessionId that was active when the exec request was created.

Proposed fix

Capture expectedSessionId when creating the exec approval follow-up target, then before sending compare it with the latest sessionKey -> sessionId mapping. If they differ, log and drop the stale follow-up.

Validation

I reproduced this locally, applied that guard in the installed dist, restarted the gateway, and verified that a previously pending approval no longer polluted the new session after /reset.

Concrete validation data from the local repro:

  • pending approval id: 21abfe34-9309-40bb-9a2b-9a43349d4d79
  • old session id before reset: 59ada67a-ec92-4955-b3f5-b894be448e13
  • new session id after reset: 6884416d-17e1-402a-870b-0b6a24762c4c

If helpful, I can also turn the validated local fix into a source-level PR.

extent analysis

TL;DR

Capture the expectedSessionId when creating the exec approval follow-up target and compare it with the latest sessionKey -> sessionId mapping before sending to prevent stale follow-ups.

Guidance

  • To fix the issue, modify the follow-up path to track both sessionKey and the original sessionId that was active when the exec request was created.
  • Before sending the follow-up, compare the expectedSessionId with the latest sessionKey -> sessionId mapping and drop the follow-up if they differ.
  • To verify the fix, reproduce the issue locally and check that a previously pending approval no longer appears in the new session after /reset.
  • Consider creating a source-level PR with the validated local fix to ensure the change is properly reviewed and integrated.

Example

# Pseudo-code example of the proposed fix
def send_follow_up(session_key, expected_session_id, follow_up_message):
    latest_session_id = get_latest_session_id(session_key)
    if latest_session_id != expected_session_id:
        log_and_drop_stale_follow_up(follow_up_message)
    else:
        send_message_to_session(session_key, follow_up_message)

Notes

The proposed fix assumes that the sessionKey -> sessionId mapping is accessible and up-to-date. Additionally, the fix may require modifications to the existing logging and error handling mechanisms to properly handle dropped follow-ups.

Recommendation

Apply the workaround by capturing the expectedSessionId and comparing it with the latest sessionKey -> sessionId mapping before sending the follow-up, as this directly addresses the root cause of the issue and has been validated locally.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

The follow-up should stay bound to the original session instance. Once that sessionKey has been rebound to a different sessionId, stale follow-ups should be dropped instead of being delivered into the new session.

#cache error#pipeline error#runtime error#dependency conflict#environment setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING