Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
OpenClaw: Unauthorized Access to Host ACP
GHSA-474h-prjg-mmw3
Summary
A security issue in OpenClaw allows a malicious program to bypass security restrictions and initialize the host's ACP, potentially leading to unauthorized access. This issue affects versions of OpenClaw up to 2026.3.1. To fix the issue, update to version 2026.3.2 or later.
What to do
- Update openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.2 |
Original title
OpenClaw: Sandboxed sessions_spawn(runtime="acp") bypassed sandbox inheritance and allowed host ACP initialization
Original description
### Summary
Sandboxed `sessions_spawn(runtime="acp")` could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects `sandbox="require"` for `runtime="acp"`.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.3.1` (March 2, 2026)
- Vulnerable range: `<=2026.3.1`
- Patched release: `2026.3.2` (released)
### Technical Details
- Root cause: `runtime="subagent"` enforced sandbox inheritance, while `runtime="acp"` did not enforce equivalent sandbox/runtime checks.
- Security impact: sandbox-boundary bypass into host-side ACP initialization.
- Fixed behavior:
- deny ACP spawn when requester runtime is sandboxed
- deny `sessions_spawn` with `runtime="acp", sandbox="require"`
- align sandboxed prompt guidance to avoid advertising blocked ACP paths
### Fix Commit(s)
- `ac11f0af731d41743ba02d8595f4d0fe747336e3`
- `c703aa0fe92df9fb71cf254fc46991e05fba2114`
Sandboxed `sessions_spawn(runtime="acp")` could bypass sandbox inheritance and initialize host-side ACP runtime. The fix now fail-closes ACP spawn from sandboxed requester sessions and rejects `sandbox="require"` for `runtime="acp"`.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.3.1` (March 2, 2026)
- Vulnerable range: `<=2026.3.1`
- Patched release: `2026.3.2` (released)
### Technical Details
- Root cause: `runtime="subagent"` enforced sandbox inheritance, while `runtime="acp"` did not enforce equivalent sandbox/runtime checks.
- Security impact: sandbox-boundary bypass into host-side ACP initialization.
- Fixed behavior:
- deny ACP spawn when requester runtime is sandboxed
- deny `sessions_spawn` with `runtime="acp", sandbox="require"`
- align sandboxed prompt guidance to avoid advertising blocked ACP paths
### Fix Commit(s)
- `ac11f0af731d41743ba02d8595f4d0fe747336e3`
- `c703aa0fe92df9fb71cf254fc46991e05fba2114`
ghsa CVSS3.1
8.1
Vulnerability type
CWE-269
Improper Privilege Management
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026