Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Docker Container Escape Risk in OpenClaw
CVE-2026-27002
GHSA-w235-x559-36mg
Summary
A security issue in OpenClaw allows attackers to escape from Docker containers and access sensitive host data if they can influence the Docker configuration. This could lead to unauthorized access to sensitive information or even complete control of the host system. To fix this, update to OpenClaw version 2026.2.15 or later, and avoid configuring certain Docker settings that are known to be insecure.
What to do
- Update steipete openclaw to version 2026.2.15.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.15 | 2026.2.15 |
| openclaw | openclaw | <= 2026.2.15 | – |
Original title
OpenClaw: Docker container escape via unvalidated bind mount config injection
Original description
## Summary
A configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.14`
- Fixed version: `>= 2026.2.15` (next release)
## Impact
If an attacker can influence sandbox Docker configuration (or an operator pastes untrusted config), they may be able to:
- mount sensitive host paths (e.g. `/etc`, `/proc`, `/sys`, `/dev`, Docker socket)
- use `network=host` to bypass container network isolation
- use `seccompProfile=unconfined` / `apparmorProfile=unconfined` to weaken isolation
This can lead to host secret exfiltration or full host control (via Docker socket exposure).
## Fix
OpenClaw now blocks dangerous sandbox Docker settings:
- runtime enforcement when building `docker create` args
- config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`
- security audit findings to surface dangerous sandbox docker config
## Workarounds
- Do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths.
- Keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`.
- Do not use `unconfined` for seccomp/AppArmor profiles.
## Fix Commit(s)
- 887b209db47f1f9322fead241a1c0b043fd38339
- 1b6704ef5800152c777ea52b77aa2c8a46c13705 (docs)
## Release Process Note
This advisory is pre-populated with the planned fixed version (`>= 2026.2.15`). Once `[email protected]` is published to npm, publishing this advisory should be a single-click action.
Thanks @aether-ai-agent for reporting.
A configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.14`
- Fixed version: `>= 2026.2.15` (next release)
## Impact
If an attacker can influence sandbox Docker configuration (or an operator pastes untrusted config), they may be able to:
- mount sensitive host paths (e.g. `/etc`, `/proc`, `/sys`, `/dev`, Docker socket)
- use `network=host` to bypass container network isolation
- use `seccompProfile=unconfined` / `apparmorProfile=unconfined` to weaken isolation
This can lead to host secret exfiltration or full host control (via Docker socket exposure).
## Fix
OpenClaw now blocks dangerous sandbox Docker settings:
- runtime enforcement when building `docker create` args
- config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`
- security audit findings to surface dangerous sandbox docker config
## Workarounds
- Do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths.
- Keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`.
- Do not use `unconfined` for seccomp/AppArmor profiles.
## Fix Commit(s)
- 887b209db47f1f9322fead241a1c0b043fd38339
- 1b6704ef5800152c777ea52b77aa2c8a46c13705 (docs)
## Release Process Note
This advisory is pre-populated with the planned fixed version (`>= 2026.2.15`). Once `[email protected]` is published to npm, publishing this advisory should be a single-click action.
Thanks @aether-ai-agent for reporting.
nvd CVSS3.1
9.8
nvd CVSS4.0
7.7
Vulnerability type
CWE-250
- https://nvd.nist.gov/vuln/detail/CVE-2026-27002
- https://github.com/advisories/GHSA-w235-x559-36mg
- https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd3... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.15 Product Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg Mitigation Patch Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026