Skip to content
Threat Feed
critical advisory

OpenClaw Sandbox Bypass via Heartbeat Context Inheritance

A critical vulnerability in the openclaw npm package (<=2026.3.28) allows a heartbeat context inheritance to bypass the sandbox via senderIsOwner escalation, patched in version 2026.3.31.

The openclaw npm package, a tool used for [describe package functionality if known, else leave generic], contains a critical vulnerability related to how heartbeat contexts are inherited. Specifically, improper handling of the senderIsOwner property during context inheritance allows a malicious actor to bypass intended sandbox restrictions. This vulnerability affects openclaw versions up to and including 2026.3.28. This issue was reported by @AntAISecurityLab and patched in version 2026.3.31, released on March 31, 2026. Defenders need to ensure that their openclaw dependencies are updated to the patched version or later to mitigate this risk.

Attack Chain

  1. Attacker crafts a malicious package that includes the vulnerable openclaw version (<=2026.3.28) as a dependency.
  2. The malicious package leverages the heartbeat functionality of openclaw to establish an initial context.
  3. The attacker manipulates the heartbeat context inheritance mechanism to gain control of the senderIsOwner property.
  4. By exploiting the inheritance flaw, the attacker escalates privileges within the openclaw sandbox environment.
  5. The attacker utilizes the escalated privileges to execute arbitrary code within the sandbox.
  6. The arbitrary code gains access to sensitive resources or data within the application utilizing the openclaw package.
  7. The attacker exfiltrates the compromised data or uses the compromised application as a pivot point for further attacks.

Impact

Successful exploitation of this vulnerability allows attackers to bypass the openclaw sandbox, potentially leading to arbitrary code execution within applications using the vulnerable package. While the exact scope of impact depends on the application using openclaw, the critical severity suggests significant potential for data breaches, service disruption, or further lateral movement within the compromised environment. Given the widespread use of npm packages, a successful exploit could affect a large number of applications and users.

Recommendation

  • Upgrade the openclaw npm package to version 2026.3.31 or later. This version contains the fix for the identified vulnerability.
  • Deploy the Sigma rules provided below to detect potential exploitation attempts in your environment. Focus on monitoring process creation and file events related to openclaw.
  • Implement software composition analysis (SCA) tools to automatically detect vulnerable dependencies like openclaw in your projects.

Detection coverage 2

Detect OpenClaw Sandbox Bypass Attempt via senderIsOwner Escalation

high

Detects potential attempts to exploit the OpenClaw sandbox bypass vulnerability by monitoring for suspicious process creations originating from openclaw modules with commands that might indicate privilege escalation.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, linux

Detect Modification of OpenClaw Configuration Files

medium

Detects attempts to modify OpenClaw configuration files, which might be indicative of an exploit attempt.

sigma tactics: persistence techniques: T1547.001 sources: file_event, linux

Detection queries are kept inside the platform. Get full rules →