GHSA-WW6V-V748-X7G9

Vulnerability from github – Published: 2026-03-02 23:37 – Updated: 2026-03-25 20:25
VLAI?
Summary
OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
Details

Summary

In openclaw@2026.2.23, sandbox network hardening blocks network=host but still allows network=container:<id>.

This can let a sandbox join another container's network namespace and reach services available in that namespace.

Preconditions and Trust Model Context

This issue requires a trusted-operator configuration path (for example setting agents.defaults.sandbox.docker.network in gateway config). It is not an unauthenticated remote exploit by itself.

Details

Current validation blocks only host, while forwarding other values to Docker create args:

  • validateNetworkMode(network) only rejects values in BLOCKED_NETWORK_MODES = {"host"}.
  • buildSandboxCreateArgs(...) validates then forwards cfg.network into --network.
  • Browser sandbox helper also treats container: as an accepted mode in network preparation.

Effective behavior:

  • host -> blocked
  • container:<id> -> accepted and forwarded

Impact

Type: sandbox network isolation hardening bypass.

Practical impact depends on deployment:

  • Requires ability to influence trusted sandbox network config.
  • Higher impact when a target container exposes privileged/internal network reachability.

Remediation

Block namespace-join style network modes (including container:<id>) for sandbox containers, and keep strict allowlisting for safe network modes.

Patch Status

Fixed on main in commit 14b6eea6e: https://github.com/openclaw/openclaw/commit/14b6eea6e

Follow-up refactor/cleanup (no policy rollback): https://github.com/openclaw/openclaw/commit/5552f9073

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

Severity ?
9.0 (Critical)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T23:37:46Z",
    "nvd_published_at": "2026-03-19T22:16:39Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn `openclaw@2026.2.23`, sandbox network hardening blocks `network=host` but still allows `network=container:\u003cid\u003e`.\n\nThis can let a sandbox join another container\u0027s network namespace and reach services available in that namespace.\n\n### Preconditions and Trust Model Context\nThis issue requires a trusted-operator configuration path (for example setting `agents.defaults.sandbox.docker.network` in gateway config). It is not an unauthenticated remote exploit by itself.\n\n### Details\nCurrent validation blocks only `host`, while forwarding other values to Docker create args:\n\n- `validateNetworkMode(network)` only rejects values in `BLOCKED_NETWORK_MODES = {\"host\"}`.\n- `buildSandboxCreateArgs(...)` validates then forwards `cfg.network` into `--network`.\n- Browser sandbox helper also treats `container:` as an accepted mode in network preparation.\n\nEffective behavior:\n\n- `host` -\u003e blocked\n- `container:\u003cid\u003e` -\u003e accepted and forwarded\n\n### Impact\nType: sandbox network isolation hardening bypass.\n\nPractical impact depends on deployment:\n\n- Requires ability to influence trusted sandbox network config.\n- Higher impact when a target container exposes privileged/internal network reachability.\n\n### Remediation\nBlock namespace-join style network modes (including `container:\u003cid\u003e`) for sandbox containers, and keep strict allowlisting for safe network modes.\n\n\n### Patch Status\nFixed on `main` in commit `14b6eea6e`:\nhttps://github.com/openclaw/openclaw/commit/14b6eea6e\n\nFollow-up refactor/cleanup (no policy rollback):\nhttps://github.com/openclaw/openclaw/commit/5552f9073\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
  "id": "GHSA-ww6v-v748-x7g9",
  "modified": "2026-03-25T20:25:50Z",
  "published": "2026-03-02T23:37:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-ww6v-v748-x7g9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32038"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/14b6eea6e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/5552f9073"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-sandbox-network-isolation-bypass-via-docker-network-container-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has a sandbox network isolation bypass via docker.network=container:\u003cid\u003e"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.