Sandbox escape in openclaw via heartbeat context inheritance
TL;DR - openclaw <= 2026.3.28: heartbeat context inheritance feeds a senderIsOwner escalation path that exits the sandbox boundary. End result is arbitrary code execution risk with elevated privileges. Update to 2026.3.31 or later.
What happened
openclaw is an AI agent workflow runtime with a built-in sandbox meant to contain risky agent actions. AhnLab ASEC published a product security advisory for CVE-2026-41329 - a sandbox bypass that makes that containment unreliable.
The mechanism: heartbeat context inheritance passes context across what should be a hard boundary. That inherited context opens a senderIsOwner escalation path. Exploit it and "run untrusted agent logic" becomes "run with elevated privileges" - arbitrary code execution risk on the other side.
| Item | Detail |
|---|---|
| Affected component | openclaw (npm) |
| Affected versions | 2026.3.28 and earlier |
| Fixed version | 2026.3.31 and later |
| Vulnerability class | Sandbox bypass + privilege escalation |
Sandbox boundaries in agent runtimes are becoming a primary attack surface. If untrusted inputs or external event sources can reach agent execution context, and your architecture treats the sandbox as a hard security boundary, this is a direct threat to that assumption.
Who is impacted
- Deployments using the
openclawnpm package at versions2026.3.28or earlier. - Highest risk: environments where untrusted users, inputs, or external event sources can influence agent execution context - particularly where the sandbox is the primary control between untrusted logic and privileged operations.
What to do now
- Update
openclawto2026.3.31or later."patched versions: Confirmed fix in openclaw version 2026.3.31 and later."
- Inventory every deployment of
openclaw- CI runners, automation hosts, internal agent services - and confirm the runtime version in each environment. - While you patch, treat this as a live sandbox escape exposure:
- Review agent execution logs and audit trails for unexpected privilege changes or cross-workflow context reuse.
- Rotate credentials accessible to the
openclawruntime if any untrusted workflows could have reached privileged operations. - Tighten network egress and downstream permissions for the agent runtime - apply least privilege, especially on automation hosts that can reach production systems.
Additional information
- GitHub Security Advisory
GHSA-g5cg-8x5w-7jpmcovers this issue (openclaw/openclaw). Note: the GHSA page currently shows "No known CVE" even though ASEC references CVE-2026-41329. - Root cause terminology used in the ASEC advisory: "heartbeat context inheritance" and the
senderIsOwnerprivilege escalation path.
Related
Training
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.