OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance...

9 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.

AI Analysis

Sandbox bypass vulnerability via heartbeat context inheritance and senderIsOwner parameter manipulation, allowing attackers to escalate privileges

Basic Information

ID CVE-2026-41329

Source VulnCheck

Published Apr 20, 2026 at 23:08

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-648

AI Assessment

AI Score 9 / 10

AI Severity Critical

Vendor OpenClaw

Product OpenClaw

Version < 2026.3.31

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.",
    "published": "2026-04-20T23:08:16.222Z",
    "modified": "2026-04-20T23:08:16.222Z",
    "type": "cve",
    "title": "OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm\nhttps://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd\nhttps://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation",
    "id": "CVE-2026-41329",
    "bulletinFamily": "",
    "cwe": [
        "CWE-648"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "Sandbox bypass vulnerability via heartbeat context inheritance and senderIsOwner parameter manipulation, allowing attackers to escalate privileges",
    "ai_severity": "Critical",
    "ai_vendor": "OpenClaw",
    "ai_product": "OpenClaw",
    "ai_version": "< 2026.3.31",
    "ai_score": 9
}

OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation_CVE-2026-41329