EUVD-2026-13943
GHSA-wr92-6w3g-2hwc
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.
Analysis
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low privileges to bypass runtime confinement restrictions. Attackers can exploit a flaw in cross-agent sessions_spawn operations to create child processes under unsandboxed agents, effectively disabling sandbox protections by setting sandbox.mode to off. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenClaw deployments and identify affected versions (prior to 2026.3.1); assess if any users have authentication credentials and low-privilege accounts. Within 7 days: Implement network segmentation to restrict cross-agent communication and disable sessions_spawn operations where operationally feasible; monitor for suspicious process creation and sandbox mode modifications. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today