A critical configuration injection vulnerability in OpenClaw's Docker sandbox enables attackers to escape container environments and access sensitive host system data.

This issue involves the injection of dangerous Docker configuration options (such as bind mounts and host networking) into the sandbox environment. This allows an attacker to bypass container isolation, potentially achieving a full container escape or gaining unauthorized access to the host file system.

An exploit could lead to the total compromise of the host server supporting the AI assistant. Attackers could steal sensitive host data, escalate privileges, or move laterally within the network. The CVSS score of 9.8 underscores the critical risk to infrastructure integrity and data confidentiality.

Immediate Action: Update OpenClaw to version 2026.2.15 or later, which implements runtime enforcement and validation of Docker arguments.

Proactive Monitoring: Audit Docker logs for unauthorized container creations with network=host or unconfined profiles and monitor host file systems for unauthorized access.

Compensating Controls: As a workaround, ensure that sandbox configurations do not use system directory bind mounts, keep networking set to none or bridge, and enforce strict seccomp/AppArmor profiles.

Public Exploit Available: No

Organizations using OpenClaw must prioritize the update to version 2026.2.15. In environments where immediate updates are not possible, the provided configuration workarounds should be applied manually to prevent the use of dangerous Docker options that facilitate container escapes.