Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
OpenClaw Docker Images Run as Root
GHSA-w7j5-j98m-w679
Summary
Three Dockerfiles in OpenClaw's scripts directory run all processes as the root user, making it easier for an attacker to gain full access to the container if any process is compromised. This is a security risk because it allows an attacker to access sensitive data and potentially take control of the container. To fix this, add a 'USER' directive to each of the affected Dockerfiles to run processes as a non-root user.
What to do
- Update openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
OpenClaw has multiple E2E/test Dockerfiles that run all processes as root
Original description
Three Dockerfiles in scripts/docker/ and scripts/e2e/ lack a USER directive, meaning all processes run as uid 0 (root). If any process is compromised, the attacker has root inside the container, making container breakout significantly easier.
**Partial fix (2026-02-08):** Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched.
**Affected components:**
- scripts/e2e/Dockerfile
- scripts/e2e/Dockerfile.qr-import
- scripts/docker/install-sh-e2e/Dockerfile
- scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory)
**Technical Reproduction:**
1. Open each Dockerfile listed above and search for a USER directive — none found.
2. Run any of these containers: docker run --rm -it <image> id
3. Observe: returns uid=0(root).
**Demonstrated Impact:**
- Root inside the container enables kernel exploit attempts, volume mount abuse, and privileged syscall access.
- Test images share the same base (node:22-bookworm) as production, creating risk of accidental deployment of root-running images.
**Environment:** Base images node:22-bookworm and node:22-bookworm-slim default to root. Dockerfile.sandbox and Dockerfile.sandbox-browser were remediated in commit 28e1a65e; only the E2E/test images listed above remain affected.
**Remediation:** Add a USER directive before CMD/ENTRYPOINT in each remaining Dockerfile:
RUN useradd --create-home --shell /bin/bash appuser
USER appuser
**Partial fix (2026-02-08):** Commit 28e1a65e added USER sandbox to Dockerfile.sandbox and Dockerfile.sandbox-browser. The E2E/test Dockerfiles listed below remain unpatched.
**Affected components:**
- scripts/e2e/Dockerfile
- scripts/e2e/Dockerfile.qr-import
- scripts/docker/install-sh-e2e/Dockerfile
- scripts/docker/install-sh-nonroot/Dockerfile (runs as app but with NOPASSWD sudo — see related advisory)
**Technical Reproduction:**
1. Open each Dockerfile listed above and search for a USER directive — none found.
2. Run any of these containers: docker run --rm -it <image> id
3. Observe: returns uid=0(root).
**Demonstrated Impact:**
- Root inside the container enables kernel exploit attempts, volume mount abuse, and privileged syscall access.
- Test images share the same base (node:22-bookworm) as production, creating risk of accidental deployment of root-running images.
**Environment:** Base images node:22-bookworm and node:22-bookworm-slim default to root. Dockerfile.sandbox and Dockerfile.sandbox-browser were remediated in commit 28e1a65e; only the E2E/test images listed above remain affected.
**Remediation:** Add a USER directive before CMD/ENTRYPOINT in each remaining Dockerfile:
RUN useradd --create-home --shell /bin/bash appuser
USER appuser
ghsa CVSS4.0
8.4
Vulnerability type
CWE-250
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026