CVE-2026-32048
Received Received - Intake
Sandbox Bypass in OpenClaw via Cross-Agent Session Spawn

Publication date: 2026-03-21

Last updated on: 2026-03-24

Assigner: VulnCheck

Description
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32048
EUVD
EUVD-2026-13943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32048 is a sandbox escape vulnerability in OpenClaw versions prior to 2026.3.1. It occurs because OpenClaw fails to enforce sandbox inheritance during cross-agent sessions_spawn operations. This means that a sandboxed session can spawn child processes under unsandboxed agents, creating child runtimes with sandbox.mode set to off. As a result, the attacker can bypass runtime confinement restrictions.

This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), CWE-269 (Improper Privilege Management), and CWE-284 (Improper Access Control), indicating failures in privilege assignment and access restriction.

Impact Analysis

This vulnerability allows an attacker with a sandboxed session to bypass runtime confinement by spawning child processes without sandbox restrictions. This can lead to privilege escalation or unauthorized access within the system.

The impact includes high severity risks to confidentiality, integrity, and availability of the affected system, as the attacker can operate with fewer restrictions than intended.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying if OpenClaw versions prior to 2026.3.1 are in use and monitoring for cross-agent sessions_spawn operations where sandboxed sessions spawn child processes under unsandboxed agents.

Specifically, you can look for processes or logs indicating that a sandboxed session has spawned child runtimes with sandbox.mode set to off, which would indicate a sandbox escape attempt.

Commands to help detect this might include:

  • Checking OpenClaw version installed: `openclaw --version` or equivalent
  • Monitoring process trees for unexpected child processes spawned by sandboxed sessions, e.g., using `ps -ef --forest` or `pstree` on Unix-like systems
  • Reviewing OpenClaw logs for cross-agent sessions_spawn calls and verifying sandbox.mode settings for spawned runtimes
  • Using network monitoring tools to detect unusual cross-agent spawning activity
Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.1 or later, where the vulnerability has been fixed by enforcing sandbox inheritance during cross-agent sessions_spawn operations.

Until the upgrade can be applied, consider restricting or disabling cross-agent spawning functionality, especially in mixed-agent environments where sandboxed and unsandboxed agents coexist.

Additionally, review and tighten sandbox configuration policies to prevent sandboxed sessions from spawning child runtimes with sandbox.mode set to off.

Monitoring and alerting on suspicious spawning activity can also help in early detection and response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart