Description
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed chat context into host-side ACP session initialization when ACP is enabled.
Published: 2026-03-23
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox Escape
Action: Immediate Patch
AI Analysis

Impact

OpenClaw releases prior to 2026.3.7 contain a sandbox escape flaw in the /acp spawn command. The weakness is a privilege escalation through a command invoked from a sandboxed chat context, allowing an authorized user to launch host‑side ACP runtime. This is a case of improper authorization, identified as CWE‑863, and it enables privileged code execution on the host system.

Affected Systems

The flaw applies to all installations of OpenClaw prior to version 2026.3.7 when the ACP feature is active. Any user that has an authorized sandboxed session with ACP permissions can trigger the vulnerability.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity, and the EPSS score of less than 1 % implies the likelihood of active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog, suggesting no known exploitation. The attack vector is inferred to require an authenticated sandboxed user with ACP enabled; therefore, only privileged users inside the sandbox pose a risk. The potential impact includes unauthorized host‑side code execution, which could compromise confidentiality, integrity, and availability of the underlying system if exploited.

Generated by OpenCVE AI on March 24, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to upgrade OpenClaw to version 2026.3.7 or later.
  • If the ACP feature is not needed, disable or restrict ACP functionality.

Generated by OpenCVE AI on March 24, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9q36-67vc-rrwg OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
History

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed chat context into host-side ACP session initialization when ACP is enabled.
Title OpenClaw < 2026.3.7 - Sandbox Escape via /acp spawn Command
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T19:15:32.305Z

Reserved: 2026-02-22T13:10:57.098Z

Link: CVE-2026-27646

cve-icon Vulnrichment

Updated: 2026-03-25T19:15:29.225Z

cve-icon NVD

Status : Modified

Published: 2026-03-23T22:16:25.660

Modified: 2026-03-25T15:16:39.280

Link: CVE-2026-27646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:23Z

Weaknesses