CVE-2026-27002 Overview
CVE-2026-27002 is a configuration injection vulnerability in OpenClaw, a personal AI assistant application. Prior to version 2026.2.15, the Docker tool sandbox component was susceptible to dangerous Docker options being applied through configuration, including bind mounts, host networking, and unconfined security profiles. This vulnerability could enable container escape or unauthorized host data access, presenting significant risks to containerized deployments.
Critical Impact
Attackers who can influence OpenClaw's sandbox configuration could escape container isolation, access host system data, or gain elevated privileges on the host machine through dangerous Docker settings.
Affected Products
- OpenClaw versions prior to 2026.2.15
- OpenClaw Node.js package (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*)
Discovery Timeline
- 2026-02-20 - CVE-2026-27002 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-27002
Vulnerability Analysis
This vulnerability is classified under CWE-250 (Execution with Unnecessary Privileges). The core issue stems from insufficient validation of Docker sandbox configuration parameters in OpenClaw's agent runtime. The application failed to properly restrict dangerous Docker options that could compromise container isolation, allowing configurations that would grant containers excessive access to host resources.
The vulnerability affects the sandbox execution environment where AI agent tools run. When agents execute code within Docker containers, the sandbox configuration determines the container's isolation boundaries. Without proper validation, users or administrators could inadvertently (or maliciously) configure the sandbox with settings that break the security model of containerization.
Root Cause
The root cause is improper input validation in the Docker sandbox configuration schema. The configuration allowed dangerous values for critical security settings:
- Network mode host - Allows container to share the host's network namespace, bypassing network isolation
- Seccomp profile unconfined - Disables system call filtering, allowing containers to make any syscall
- AppArmor profile unconfined - Disables mandatory access control enforcement
- Unrestricted bind mounts - Allows mounting sensitive host directories or the Docker socket into containers
Attack Vector
The attack requires network access and some user interaction to manipulate configuration. An attacker who can influence the OpenClaw configuration (through a compromised config file, social engineering, or another vulnerability) could inject dangerous sandbox settings that would be applied when containers are created.
The following code shows the security hardening patch that validates sandbox Docker configuration:
binds: z.array(z.string()).optional(),
})
.strict()
+ .superRefine((data, ctx) => {
+ if (data.network?.trim().toLowerCase() === "host") {
+ ctx.addIssue({
+ code: z.ZodIssueCode.custom,
+ path: ["network"],
+ message:
+ 'Sandbox security: network mode "host" is blocked. Use "bridge" or "none" instead.',
+ });
+ }
+ if (data.seccompProfile?.trim().toLowerCase() === "unconfined") {
+ ctx.addIssue({
+ code: z.ZodIssueCode.custom,
+ path: ["seccompProfile"],
+ message:
+ 'Sandbox security: seccomp profile "unconfined" is blocked. ' +
+ "Use a custom seccomp profile file or omit this setting.",
+ });
+ }
+ if (data.apparmorProfile?.trim().toLowerCase() === "unconfined") {
+ ctx.addIssue({
+ code: z.ZodIssueCode.custom,
+ path: ["apparmorProfile"],
+ message:
+ 'Sandbox security: apparmor profile "unconfined" is blocked. ' +
+ "Use a named AppArmor profile or omit this setting.",
+ });
+ }
Source: GitHub Commit 887b209
Detection Methods for CVE-2026-27002
Indicators of Compromise
- Configuration files containing network: host in sandbox Docker settings
- Presence of seccompProfile: unconfined or apparmorProfile: unconfined in agent configurations
- Bind mounts configured to mount /var/run/docker.sock or system directories like /etc, /root, or /
- Unusual container processes with host network visibility or elevated syscall capabilities
Detection Strategies
- Audit OpenClaw configuration files for dangerous agents.*.sandbox.docker.* settings before and after deployment
- Implement configuration drift detection to alert on changes to sandbox security parameters
- Monitor Docker daemon logs for container creation events with --network=host or --security-opt flags indicating unconfined profiles
- Deploy container runtime security tools to detect containers attempting to access host resources beyond their expected scope
Monitoring Recommendations
- Enable audit logging for configuration file changes in the OpenClaw deployment directory
- Set up alerts for Docker containers created with elevated privileges or host namespace sharing
- Monitor for unexpected network traffic originating from container IP ranges that indicates host network mode usage
- Implement file integrity monitoring on critical OpenClaw configuration files
How to Mitigate CVE-2026-27002
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.15 or later immediately
- Review existing OpenClaw configurations for dangerous sandbox Docker settings
- Remove any network: host, seccompProfile: unconfined, or apparmorProfile: unconfined settings
- Audit bind mount configurations to ensure no sensitive host paths are exposed to containers
Patch Information
OpenClaw version 2026.2.15 addresses this vulnerability by implementing multiple security controls:
- Config-schema validation that blocks dangerous values at configuration load time
- Runtime enforcement when building docker create arguments
- Security audit findings to surface dangerous sandbox docker configurations
The patch is available via the GitHub Release v2026.2.15. For detailed technical changes, see the security commit and the GitHub Security Advisory GHSA-w235-x559-36mg.
Workarounds
- Do not configure agents.*.sandbox.docker.binds to mount system directories (/etc, /var, /root) or Docker socket paths (/var/run/docker.sock)
- Keep agents.*.sandbox.docker.network at none (default) or bridge - never use host
- Do not use unconfined for seccomp or AppArmor profiles; use custom security profiles or omit these settings entirely
- Implement network policies to restrict container egress if using bridge networking
# Configuration example - Safe sandbox settings
# In your OpenClaw configuration file, ensure sandbox settings follow this pattern:
# agents:
# my-agent:
# sandbox:
# docker:
# network: "none" # or "bridge" - NEVER "host"
# # seccompProfile: omit or use custom profile path
# # apparmorProfile: omit or use named profile
# binds:
# - "/app/workspace:/workspace:rw" # Only app-specific mounts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
