CVE-2026-42434 Overview
CVE-2026-42434 is a sandbox escape vulnerability in OpenClaw versions 2026.4.5 through 2026.4.10. The flaw exists in the exec routing logic for sandboxed agents. A sandboxed agent can override exec target resolution by specifying host=node, bypassing the intended sandbox boundary. Attackers route execution to remote nodes instead of the sandbox path. The weakness is classified as [CWE-863] Incorrect Authorization. Successful exploitation grants high impact to confidentiality, integrity, and availability of the host environment. The issue is network-exploitable and requires only low privileges, making it accessible to any agent already operating within the sandbox.
Critical Impact
Sandboxed agents can escape isolation boundaries and execute commands on host nodes by manipulating the host parameter in exec requests.
Affected Products
- OpenClaw 2026.4.5
- OpenClaw releases between 2026.4.5 and 2026.4.10
- OpenClaw exec runtime component (bash-tools.exec-runtime.ts)
Discovery Timeline
- 2026-05-05 - CVE CVE-2026-42434 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42434
Vulnerability Analysis
The vulnerability lives in OpenClaw's exec routing authorization logic. When a sandboxed agent requests command execution, the isRequestedExecTargetAllowed function determines whether the requested target is permitted. The original logic treated the configured target value auto as safe whenever a sandbox was available. It only blocked the case where the requested target equalled gateway.
The check failed to account for the node target value. A sandboxed agent could pass host=node in its exec request and force the runtime to route the command to a remote node. The execution then occurred outside the sandbox boundary. This is an authorization gap rather than a memory safety issue, and it maps directly to [CWE-863].
Root Cause
The root cause is incomplete enumeration of disallowed targets in the routing guard. The canExecRequestNode helper trusted the resolved configuration without verifying sandbox availability against all privileged target identifiers. Any value other than gateway slipped through the conditional and returned true, marking the call as allowed.
Attack Vector
An attacker controlling or compromising a sandboxed agent issues an exec request with host set to node. The runtime evaluates the request against the flawed allow-list, accepts it, and dispatches the command to a host node. This bypasses isolation policy and yields execution on infrastructure that should be unreachable from the sandbox.
// Security patch in src/agents/bash-tools.exec-runtime.ts
return true;
}
if (params.configuredTarget === "auto") {
- if (params.sandboxAvailable && params.requestedTarget === "gateway") {
+ if (
+ params.sandboxAvailable &&
+ (params.requestedTarget === "gateway" || params.requestedTarget === "node")
+ ) {
return false;
}
return true;
Source: GitHub Commit dffad08
The patch adds node to the disallowed target list when a sandbox is active, closing the routing bypass.
Detection Methods for CVE-2026-42434
Indicators of Compromise
- Exec requests originating from sandboxed agent sessions that include the parameter host=node or requestedTarget=node.
- Unexpected command execution on host nodes initiated from session keys tied to sandboxed contexts.
- Audit log entries from exec-defaults.ts showing canExecRequestNode returning true for sandboxed sessions.
Detection Strategies
- Inspect OpenClaw exec runtime logs for sandboxed sessions whose resolved target equals node rather than the gateway or sandbox path.
- Correlate process creation events on host nodes with parent sessions marked sandboxed=true in OpenClaw session metadata.
- Apply rule-based alerting on the request pattern configuredTarget="auto" combined with requestedTarget="node" and sandboxAvailable=true.
Monitoring Recommendations
- Forward OpenClaw agent runtime telemetry to a centralized log platform and retain exec routing decisions.
- Track version inventory across deployed OpenClaw instances and flag any installation in the affected 2026.4.5 to 2026.4.10 range.
- Enable continuous monitoring of host node command execution and baseline expected callers to surface sandbox escape attempts.
How to Mitigate CVE-2026-42434
Immediate Actions Required
- Upgrade OpenClaw to a version newer than 2026.4.10 that contains commit dffad08529202edbf34e4808788e1182fe10f6a9.
- Audit exec runtime logs for prior requests using host=node from sandboxed sessions.
- Rotate credentials and tokens accessible to sandboxed agents that may have been used to pivot to host nodes.
Patch Information
The fix is published in the OpenClaw repository. The patch updates isRequestedExecTargetAllowed in src/agents/bash-tools.exec-runtime.ts to reject node targets when a sandbox is available, and adds a resolveExecSandboxAvailability helper in src/agents/exec-defaults.ts that propagates sandbox state into canExecRequestNode. See the GitHub Security Advisory GHSA-736r-jwj6-4w23 and the VulnCheck Advisory for full details.
Workarounds
- Set configuredTarget to a value other than auto for sandboxed agent sessions until the patch is applied.
- Restrict network reachability between sandbox runtimes and host nodes at the infrastructure layer.
- Disable the exec node routing path for any agent role that does not require host execution.
# Configuration example: pin exec target to sandbox and reject node routing
openclaw config set exec.configuredTarget sandbox
openclaw config set exec.allowNodeFromSandbox false
openclaw agents reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
