OpenClaw Sandboxed Agent Exec Routing Escape
A vulnerability in the openclaw npm package (versions >= 2026.4.5 and < 2026.4.10) allows a sandboxed agent to bypass intended sandbox execution paths by requesting `host: "node"`, potentially leading to code execution on a remote node.
The OpenClaw library, an npm package, contains a vulnerability that allows sandboxed agents to escape their intended execution environment. Specifically, by manipulating the host parameter in an execution request to "node", a malicious agent can bypass the sandbox routing boundary. This causes the execution to be routed to a remote node instead of remaining within the controlled sandbox. This issue affects versions of the openclaw package between 2026.4.5 and 2026.4.10. This vulnerability was reported by @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer, and patched in version 2026.4.10. The latest release, version 2026.4.14, includes the fix. Defenders should upgrade to version 2026.4.10 or later to mitigate this risk.
Attack Chain
- A sandboxed agent is compromised or created with malicious intent.
- The agent crafts an execution request using the vulnerable
openclawlibrary. - The agent modifies the execution request to include the parameter
host: "node". - The
openclawlibrary incorrectly routes the execution request due to thehostparameter override. - Instead of executing within the sandboxed environment, the request is routed to a remote node.
- The remote node receives the execution request and processes it.
- Malicious code is executed on the remote node, bypassing the intended sandbox restrictions.
Impact
Successful exploitation of this vulnerability allows a sandboxed agent to execute arbitrary code on a remote node. This can lead to a compromise of the remote node, potentially allowing the attacker to gain unauthorized access to sensitive data, escalate privileges, or perform other malicious actions. This can also affect any service or applications running on the remote node. This issue has the potential to impact any system using a vulnerable version of the openclaw library.
Recommendation
- Upgrade the
openclawnpm package to version 2026.4.10 or later to remediate the vulnerability. - Monitor npm package installations for vulnerable versions of
openclaw(>= 2026.4.5 < 2026.4.10). - Implement additional security measures to restrict the capabilities of sandboxed agents.
- Deploy the Sigma rules below to detect suspicious process creations related to the execution of commands from unexpected hosts within the openclaw environment.
Detection coverage 2
Detect OpenClaw Sandbox Escape Attempt via Host Override
highDetects attempts to bypass the sandbox by requesting `host: "node"` in OpenClaw environments
Detect OpenClaw Remote Node Execution
mediumDetects suspicious processes initiated on a remote node potentially exploited through OpenClaw sandbox escape.
Detection queries are available on the platform. Get full rules →