EUVD-2026-13943
GHSA-wr92-6w3g-2hwc
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.
AnalysisAI
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low privileges to bypass runtime confinement restrictions. Attackers can exploit a flaw in cross-agent sessions_spawn operations to create child processes under unsandboxed agents, effectively disabling sandbox protections by setting sandbox.mode to off. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires OpenClaw versions prior to 2026.3.1 with cross-agent sessions_spawn operations enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network-accessible exploitation with high attack complexity requiring low privileges, leading to high impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with low-level credentials on an OpenClaw deployment initiates a sandboxed session and leverages the cross-agent sessions_spawn functionality to create a child process. By exploiting the failure to inherit sandbox constraints, the attacker spawns a new runtime with sandbox.mode explicitly set to off, escaping the confined environment and gaining full system access to execute arbitrary code, access sensitive data, or pivot to other systems within the network. |
| Remediation | Upgrade OpenClaw to version 2026.3.1 or later, which addresses the sandbox inheritance enforcement flaw in cross-agent sessions_spawn operations. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenClaw deployments and identify affected versions (prior to 2026.3.1); assess if any users have authentication credentials and low-privilege accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution all
Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between appro
Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skil
Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information
Privilege escalation in OpenClaw before 2026.5.18 allows WebSocket-connected Control UI clients to claim operator.admin
Share
External POC / Exploit Code
Leaving vuln.today