CVE-2026-27002
Received Received - Intake
Configuration Injection in OpenClaw Docker Sandbox Enables Container Escape

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-10
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-27002
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27002 is a configuration injection vulnerability in the OpenClaw AI assistant's Docker sandboxing feature prior to version 2026.2.15. It allows an attacker or an operator using untrusted configuration to inject dangerous Docker options such as bind mounts to sensitive host directories, host networking mode, and unconfined security profiles (seccomp and AppArmor). This can enable container escape or unauthorized access to host data."}, {'type': 'paragraph', 'content': 'The vulnerability arises because unsafe Docker sandbox settings can be applied, which weaken container isolation and allow the container to access or control the host system.'}, {'type': 'paragraph', 'content': 'The issue was fixed in OpenClaw version 2026.2.15 by adding runtime enforcement to block dangerous Docker sandbox settings, validating configuration schemas to prevent unsafe values, and introducing security audit mechanisms to detect risky configurations.'}] [1]

Impact Analysis

Exploiting this vulnerability can lead to container escape, allowing an attacker to break out of the Docker container isolation.

It can also result in unauthorized access to sensitive host data by mounting critical system directories or the Docker socket inside the container.

Ultimately, this can lead to full host control, exposing secrets, compromising system integrity, and potentially enabling further attacks on the host environment.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by auditing the Docker sandbox configuration used by OpenClaw, specifically checking for dangerous Docker options such as bind mounts to sensitive host directories or the Docker socket, use of host networking, and unconfined seccomp or AppArmor profiles.'}, {'type': 'paragraph', 'content': 'You should look for configurations where agents.*.sandbox.docker.binds mount system directories like /etc, /proc, /sys, /dev, or Docker socket paths such as /var/run/docker.sock or /run/docker.sock.'}, {'type': 'paragraph', 'content': "Also, verify if agents.*.sandbox.docker.network is set to 'host' instead of 'none' or 'bridge', and check if seccompProfile or apparmorProfile are set to 'unconfined'."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, you can use Docker commands and configuration inspection to detect risky settings, for example:'}, {'type': 'list_item', 'content': 'Inspect Docker container creation arguments or configuration files for bind mounts: grep or jq to find mounts of /etc, /proc, /sys, /dev, or Docker socket paths.'}, {'type': 'list_item', 'content': 'Check network mode of containers: docker inspect <container_id> | grep NetworkMode'}, {'type': 'list_item', 'content': 'Check seccomp and AppArmor profiles used by containers: docker inspect <container_id> | grep SeccompProfile and AppArmorProfile'}, {'type': 'paragraph', 'content': 'Additionally, OpenClaw 2026.2.15 and later include security audit findings to surface dangerous sandbox Docker configurations, which can help detect this vulnerability automatically.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade OpenClaw to version 2026.2.15 or later, which includes fixes that block dangerous Docker sandbox settings and enforce runtime validation.'}, {'type': 'paragraph', 'content': 'As a workaround before upgrading, avoid configuring agents.*.sandbox.docker.binds to mount system directories or Docker socket paths.'}, {'type': 'paragraph', 'content': "Keep agents.*.sandbox.docker.network set to 'none' (default) or 'bridge', and do not use 'host' network mode."}, {'type': 'paragraph', 'content': "Do not use 'unconfined' for seccompProfile or apparmorProfile; use custom or default profiles instead."}, {'type': 'paragraph', 'content': 'These steps reduce the risk of container escape or host data access by preventing dangerous Docker options from being applied.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart