CVE-2026-42434
Deferred Deferred - Pending Action
Sandbox Escape in OpenClaw via Host Node Override

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: VulnCheck

Description
OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42434
EUVD
EUVD-2026-27251
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.4.5 (inc) to 2026.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in OpenClaw versions 2026.4.5 through 2026.4.9 and allows sandboxed agents to escape their restricted execution environment. Specifically, attackers can override the exec routing by setting the host parameter to "node," which lets them bypass sandbox boundaries and redirect execution commands to remote nodes instead of the intended sandbox paths.

Impact Analysis

The impact of this vulnerability is significant because it allows attackers with limited privileges inside a sandbox to execute commands outside of that sandbox on remote nodes. This bypass of sandbox restrictions can lead to unauthorized access, potential data breaches, and compromise of systems that were supposed to be isolated and protected by the sandbox environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.10 or later, as these versions include the patch that prevents sandboxed agents from escaping execution routing boundaries.

The fix ensures that sandboxed exec commands cannot override the host parameter to route execution to remote nodes, thereby enforcing sandbox policies and preventing bypass.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart