GHSA-42mx-vp8m-j7qh: openclaw: sandbox escape via mirror mode hook execution

Published April 7, 2026

CISO Take

OpenShell's mirror mode in openclaw (npm) allows untrusted files synced from a sandbox to be promoted to workspace hooks that execute arbitrary code on the host system at gateway startup — a direct sandbox escape violating the fundamental isolation contract of AI agent environments. While the attack chain requires mirror mode enabled, workspace hooks configured, explicit opt-in, and a gateway restart, these are not exotic conditions in production agentic deployments where mirror sync is a common operational pattern. No public exploit exists and the vulnerability is not in CISA KEV, but with 37 CVEs in this package and an active third-party skills ecosystem with documented malicious actor presence (AIID #1368), the risk of weaponization in multi-tenant or shared agent environments is credible. Upgrade immediately to openclaw >= 2026.3.28; if patching is blocked, disable mirror mode and audit hook allowlists for entries introduced via sync operations.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk with elevated concern in AI agent production environments. The multi-condition exploit chain (mirror mode + hooks enabled + explicit opt-in + gateway restart) limits opportunistic exploitation, but the blast radius of host-level code execution from a sandboxed context is severe. The openclaw ecosystem's documented history of supply-chain abuse (malicious skills, AIID #1368) increases the probability that a threat actor could craft a malicious sandbox artifact designed to survive mirror sync and persist as a hook.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.3.24	`2026.3.28`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch: Upgrade openclaw to >= 2026.3.28 (fix committed 2026-03-25, stable tag v2026.3.28).
If patching is not immediately possible: disable OpenShell mirror mode in all agent configurations.
Disable or restrict workspace hooks — if hooks are not required operationally, remove the opt-in entirely.
Audit existing hook configurations for entries that may have been introduced via mirror sync from sandbox-originated files.
Review gateway startup logs for unexpected hook executions.
In multi-tenant environments, treat this as high priority — shared agent infrastructure amplifies the blast radius significantly.

Classification

Code Execution Supply Chain Agent Framework AML.T0010.005 - AI Agent Tool AML.T0011.000 - Unsafe AI Artifacts AML.T0081 - Modify AI Agent Configuration AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system operational and monitoring controls

NIST AI RMF

GOVERN-1.6 - Organizational risk management processes

OWASP LLM Top 10

LLM03 - Supply Chain LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills delivering credential stealers via the ClawHub ecosystem — the same package and the same pattern of untrusted third-party artifacts gaining execution within OpenClaw's runtime. A sandboxed malicious skill could use this CVE's mirror mode vector to escalate from sandbox to host execution, making the incidents causally related.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup ## Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped <=2026.3.22 OpenShell mirror sync, but exploit needs mirror mode plus hooks enabled plus explicit hook opt-in plus restart, so high is overstated even though the direct fix shipped in v2026.3.28. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `c02ee8a3a4cb390b23afdf21317aa8b2096854d1` — 2026-03-25T19:59:07Z ## Release Process Note - The fix is already present in released version `2026.3.28`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @tdjackey for reporting.

Exploitation Scenario

An adversary who has placed malicious files in a sandboxed environment (via prompt injection into the agent, a poisoned tool artifact, or a malicious skill from ClawHub) crafts files that are structurally indistinguishable from legitimate workspace configuration. When the operator runs mirror sync — a routine maintenance operation — these files are copied to the host workspace and recognized as explicitly-enabled hooks by the gateway. On the next gateway restart (routine during patching cycles or service restarts), the hooks execute on the host with gateway-level privileges, achieving full sandbox escape. The attack is particularly stealthy because the payload is planted during a seemingly benign sync operation and triggered by a legitimate administrative action.