CVE-2026-32038

CRITICAL

OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter

Title source: cna

Description

OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container:<id> values to reach services in target container namespaces and bypass network hardening controls.

References (2)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-ww6v-v748-x7g9

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-sandbox-network-isolation-bypass-via-docker-network-container-parameter

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 19.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-284

Status published

Products (3)

npm/openclaw 0 - 2026.2.24npm

OpenClaw/OpenClaw < 2026.2.24

OpenClaw/OpenClaw 2026.2.24

Published Mar 19, 2026

Tracked Since Mar 20, 2026