GHSA-42mx-vp8m-j7qh: openclaw: sandbox escape via mirror mode hook execution
GHSA-42mx-vp8m-j7qh MEDIUMOpenShell's mirror mode in openclaw (npm) allows untrusted files synced from a sandbox to be promoted to workspace hooks that execute arbitrary code on the host system at gateway startup — a direct sandbox escape violating the fundamental isolation contract of AI agent environments. While the attack chain requires mirror mode enabled, workspace hooks configured, explicit opt-in, and a gateway restart, these are not exotic conditions in production agentic deployments where mirror sync is a common operational pattern. No public exploit exists and the vulnerability is not in CISA KEV, but with 37 CVEs in this package and an active third-party skills ecosystem with documented malicious actor presence (AIID #1368), the risk of weaponization in multi-tenant or shared agent environments is credible. Upgrade immediately to openclaw >= 2026.3.28; if patching is blocked, disable mirror mode and audit hook allowlists for entries introduced via sync operations.
What is the risk?
Medium risk with elevated concern in AI agent production environments. The multi-condition exploit chain (mirror mode + hooks enabled + explicit opt-in + gateway restart) limits opportunistic exploitation, but the blast radius of host-level code execution from a sandboxed context is severe. The openclaw ecosystem's documented history of supply-chain abuse (malicious skills, AIID #1368) increases the probability that a threat actor could craft a malicious sandbox artifact designed to survive mirror sync and persist as a hook.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.3.24 | 2026.3.28 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
6 steps-
Patch: Upgrade openclaw to >= 2026.3.28 (fix committed 2026-03-25, stable tag v2026.3.28).
-
If patching is not immediately possible: disable OpenShell mirror mode in all agent configurations.
-
Disable or restrict workspace hooks — if hooks are not required operationally, remove the opt-in entirely.
-
Audit existing hook configurations for entries that may have been introduced via mirror sync from sandbox-originated files.
-
Review gateway startup logs for unexpected hook executions.
-
In multi-tenant environments, treat this as high priority — shared agent infrastructure amplifies the blast radius significantly.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-42mx-vp8m-j7qh?
OpenShell's mirror mode in openclaw (npm) allows untrusted files synced from a sandbox to be promoted to workspace hooks that execute arbitrary code on the host system at gateway startup — a direct sandbox escape violating the fundamental isolation contract of AI agent environments. While the attack chain requires mirror mode enabled, workspace hooks configured, explicit opt-in, and a gateway restart, these are not exotic conditions in production agentic deployments where mirror sync is a common operational pattern. No public exploit exists and the vulnerability is not in CISA KEV, but with 37 CVEs in this package and an active third-party skills ecosystem with documented malicious actor presence (AIID #1368), the risk of weaponization in multi-tenant or shared agent environments is credible. Upgrade immediately to openclaw >= 2026.3.28; if patching is blocked, disable mirror mode and audit hook allowlists for entries introduced via sync operations.
Is GHSA-42mx-vp8m-j7qh actively exploited?
No confirmed active exploitation of GHSA-42mx-vp8m-j7qh has been reported, but organizations should still patch proactively.
How to fix GHSA-42mx-vp8m-j7qh?
1. Patch: Upgrade openclaw to >= 2026.3.28 (fix committed 2026-03-25, stable tag v2026.3.28). 2. If patching is not immediately possible: disable OpenShell mirror mode in all agent configurations. 3. Disable or restrict workspace hooks — if hooks are not required operationally, remove the opt-in entirely. 4. Audit existing hook configurations for entries that may have been introduced via mirror sync from sandbox-originated files. 5. Review gateway startup logs for unexpected hook executions. 6. In multi-tenant environments, treat this as high priority — shared agent infrastructure amplifies the blast radius significantly.
What systems are affected by GHSA-42mx-vp8m-j7qh?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, sandboxed execution environments, AI agent orchestration pipelines, multi-agent gateway deployments.
What is the CVSS score for GHSA-42mx-vp8m-j7qh?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0011.000 Unsafe AI Artifacts AML.T0081 Modify AI Agent Configuration AML.T0105 Escape to Host Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped <=2026.3.22 OpenShell mirror sync, but exploit needs mirror mode plus hooks enabled plus explicit hook opt-in plus restart, so high is overstated even though the direct fix shipped in v2026.3.28. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `c02ee8a3a4cb390b23afdf21317aa8b2096854d1` — 2026-03-25T19:59:07Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @tdjackey for reporting.
Exploitation Scenario
An adversary who has placed malicious files in a sandboxed environment (via prompt injection into the agent, a poisoned tool artifact, or a malicious skill from ClawHub) crafts files that are structurally indistinguishable from legitimate workspace configuration. When the operator runs mirror sync — a routine maintenance operation — these files are copied to the host workspace and recognized as explicitly-enabled hooks by the gateway. On the next gateway restart (routine during patching cycles or service restarts), the hooks execute on the host with gateway-level privileges, achieving full sandbox escape. The attack is particularly stealthy because the payload is planted during a seemingly benign sync operation and triggered by a legitimate administrative action.
Weaknesses (CWE)
CWE-829 — Inclusion of Functionality from Untrusted Control Sphere: The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw