GHSA-ww6v-v748-x7g9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ww6v-v748-x7g9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-ww6v-v748-x7g9/GHSA-ww6v-v748-x7g9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ww6v-v748-x7g9
- Aliases
- Downstream
- Published
- 2026-03-02T23:37:46Z
- Modified
- 2026-03-25T20:41:22.603091Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator
- Summary
- OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
- Details
-
Summary
In
openclaw@2026.2.23, sandbox network hardening blocksnetwork=hostbut still allowsnetwork=container:<id>.This can let a sandbox join another container's network namespace and reach services available in that namespace.
Preconditions and Trust Model Context
This issue requires a trusted-operator configuration path (for example setting
agents.defaults.sandbox.docker.networkin gateway config). It is not an unauthenticated remote exploit by itself.Details
Current validation blocks only
host, while forwarding other values to Docker create args:validateNetworkMode(network)only rejects values inBLOCKED_NETWORK_MODES = {"host"}.buildSandboxCreateArgs(...)validates then forwardscfg.networkinto--network.- Browser sandbox helper also treats
container:as an accepted mode in network preparation.
Effective behavior:
host-> blockedcontainer:<id>-> accepted and forwarded
Impact
Type: sandbox network isolation hardening bypass.
Practical impact depends on deployment:
- Requires ability to influence trusted sandbox network config.
- Higher impact when a target container exposes privileged/internal network reachability.
Remediation
Block namespace-join style network modes (including
container:<id>) for sandbox containers, and keep strict allowlisting for safe network modes.Patch Status
Fixed on
mainin commit14b6eea6e: https://github.com/openclaw/openclaw/commit/14b6eea6eFollow-up refactor/cleanup (no policy rollback): https://github.com/openclaw/openclaw/commit/5552f9073
Publication Update (2026-02-25)
openclaw@2026.2.24is published on npm and contains the fix commit(s) listed above. This advisory now marks>= 2026.2.24as patched. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-02T23:37:46Z", "cwe_ids": [ "CWE-284", "CWE-693" ], "severity": "MODERATE", "nvd_published_at": "2026-03-19T22:16:39Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-ww6v-v748-x7g9
- https://nvd.nist.gov/vuln/detail/CVE-2026-32038
- https://github.com/openclaw/openclaw/commit/14b6eea6e
- https://github.com/openclaw/openclaw/commit/5552f9073
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-sandbox-network-isolation-bypass-via-docker-network-container-parameter
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw