GHSA-736r-jwj6-4w23: OpenClaw sandbox escape

CISO Take

A high-severity sandbox escape in the openclaw AI agent framework allows sandboxed agents to override execution routing by specifying `host: "node"` in exec requests, causing execution to be dispatched to a remote node entirely outside the intended sandbox boundary — effectively voiding the containment guarantee. This is not a theoretical edge case: CWE-863 (Incorrect Authorization) here means the sandbox enforcement layer never checked whether a sandboxed agent was permitted to self-select its execution target, making it exploitable by any code running inside a sandbox. Although only 4 direct downstream npm dependents are tracked and no public exploit or KEV listing exists today, the pattern is extremely dangerous in multi-tenant or shared agent environments where sandbox boundaries are a primary trust control. Organizations running openclaw >= 2026.4.5 should upgrade to 2026.4.10 or the latest 2026.4.14 immediately; no workaround is viable short of disabling the exec routing feature entirely.

Sources: GitHub Advisory ATLAS

What is the risk?

High. The vulnerability sits at a critical trust boundary: the entire security model of sandboxed agent execution collapses if an agent can self-nominate its execution host. CWE-863 here is particularly pernicious because it requires no privilege escalation — the sandboxed agent already has exec capability, it simply misroutes it. The absence of EPSS data reflects the novelty of the CVE, not low risk. The 135 prior CVEs in this package suggest an active attack surface. In AI agent platforms running multi-tenant or user-customizable agents, this becomes a cross-tenant isolation failure, escalating impact significantly.

How does the attack unfold?

Initial Access

Adversary gains execution context inside a sandboxed openclaw agent — via a malicious skill, prompt injection into agent reasoning, or compromised agent dependency.

AML.T0010.005

Defense Evasion

Agent crafts an exec request with `host: "node"` parameter; the framework fails to validate whether sandboxed agents may override execution host, silently accepting the override.

AML.T0097

Sandbox Escape

Exec is routed to the adversary-specified remote node outside the sandbox boundary, granting code execution on a host the sandbox was designed to protect.

AML.T0105

Impact

Adversary executes arbitrary code on the target node with openclaw process privileges — enabling data exfiltration, lateral movement, or further infrastructure compromise.

AML.T0086

Initial Access

Adversary gains execution context inside a sandboxed openclaw agent — via a malicious skill, prompt injection into agent reasoning, or compromised agent dependency.

AML.T0010.005

Defense Evasion

Agent crafts an exec request with `host: "node"` parameter; the framework fails to validate whether sandboxed agents may override execution host, silently accepting the override.

AML.T0097

Sandbox Escape

Exec is routed to the adversary-specified remote node outside the sandbox boundary, granting code execution on a host the sandbox was designed to protect.

AML.T0105

Impact

Adversary executes arbitrary code on the target node with openclaw process privileges — enabling data exfiltration, lateral movement, or further infrastructure compromise.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.5, < 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Patch immediately

Upgrade openclaw to >= 2026.4.10; latest stable is 2026.4.14.
Audit agent configs

Review any agent configurations that set a host parameter in exec requests — flag non-default values.
Network-level mitigation (temporary)

If patching is delayed, block outbound exec routing to unauthorized remote nodes at the network layer or via exec policy enforcement outside the framework.
Detection

Search logs for exec requests originating from sandboxed agents with host fields pointing to non-sandbox node identifiers.
Incident response

If you ran openclaw 2026.4.5–2026.4.9 in a multi-tenant or internet-facing context, assume sandbox boundaries may have been violated and review node access logs for anomalous exec calls.

How is it classified?

Auth Bypass Code Execution Agent Framework AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0097 - Virtualization/Sandbox Evasion AML.T0105 - Escape to Host AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2.5 - AI system access control A.9.1 - Security of AI systems

NIST AI RMF

GOVERN 1.4 - Organizational teams commit to AI risk management MANAGE 2.2 - Mechanisms to sustain responses to AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency LLM08 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-736r-jwj6-4w23?

A high-severity sandbox escape in the openclaw AI agent framework allows sandboxed agents to override execution routing by specifying `host: "node"` in exec requests, causing execution to be dispatched to a remote node entirely outside the intended sandbox boundary — effectively voiding the containment guarantee. This is not a theoretical edge case: CWE-863 (Incorrect Authorization) here means the sandbox enforcement layer never checked whether a sandboxed agent was permitted to self-select its execution target, making it exploitable by any code running inside a sandbox. Although only 4 direct downstream npm dependents are tracked and no public exploit or KEV listing exists today, the pattern is extremely dangerous in multi-tenant or shared agent environments where sandbox boundaries are a primary trust control. Organizations running openclaw >= 2026.4.5 should upgrade to 2026.4.10 or the latest 2026.4.14 immediately; no workaround is viable short of disabling the exec routing feature entirely.

Is GHSA-736r-jwj6-4w23 actively exploited?

No confirmed active exploitation of GHSA-736r-jwj6-4w23 has been reported, but organizations should still patch proactively.

How to fix GHSA-736r-jwj6-4w23?

1. **Patch immediately**: Upgrade openclaw to >= 2026.4.10; latest stable is 2026.4.14. 2. **Audit agent configs**: Review any agent configurations that set a `host` parameter in exec requests — flag non-default values. 3. **Network-level mitigation (temporary)**: If patching is delayed, block outbound exec routing to unauthorized remote nodes at the network layer or via exec policy enforcement outside the framework. 4. **Detection**: Search logs for exec requests originating from sandboxed agents with `host` fields pointing to non-sandbox node identifiers. 5. **Incident response**: If you ran openclaw 2026.4.5–2026.4.9 in a multi-tenant or internet-facing context, assume sandbox boundaries may have been violated and review node access logs for anomalous exec calls.

What systems are affected by GHSA-736r-jwj6-4w23?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent pipelines, model serving, AI orchestration platforms.

What is the CVSS score for GHSA-736r-jwj6-4w23?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent pipelinesmodel servingAI orchestration platforms

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0097 Virtualization/Sandbox Evasion

AML.T0105 Escape to Host

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2.5, A.9.1

NIST AI RMF: GOVERN 1.4, MANAGE 2.2

OWASP LLM Top 10: LLM06, LLM08

What are the technical details?

Original Advisory

## Summary Sandboxed agents could escape exec routing via host=node override. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.5 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact A sandboxed agent could request `host: "node"` and route exec to a remote node instead of the intended sandbox execution path, bypassing the sandbox routing boundary. ## Technical Details The fix blocks sandboxed exec escape to remote node targets and keeps routing aligned with the active sandbox policy. ## Fix The issue was fixed in #63880. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `dffad08529202edbf34e4808788e1182fe10f6a9` - PR: #63880 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary with the ability to influence code running inside a sandboxed openclaw agent — via a malicious skill, a prompt injection into the agent's reasoning loop, or a compromised dependency — crafts an exec request with the parameter `host: "node"`. The framework fails to validate whether a sandboxed agent is authorized to specify an alternative execution host, and routes the exec to the designated remote node instead of the sandbox. The adversary now executes arbitrary code on a production node outside the sandbox perimeter, with whatever permissions the openclaw node process holds. In a multi-tenant platform, this could mean cross-tenant code execution. In a SaaS deployment, it could reach the database host or internal service network. The referenced AIID #1368 incident — malicious OpenClaw skills delivering a credential stealer — represents a realistic second stage following this escape.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.