CRITICALCVE-2026-41329Published 2026-04-20Modified 2026-04-21CNA VulnCheck

CVE-2026-41329: OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.

CVSS v4.0: 9.0
Severity: CRITICAL
Fixed in: 2026.3.31
Affected Products: 1

Fix available

2026.3.31

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.3.31 (from 0)
Fixed in 2026.3.31

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

GitHub Security Advisory (GHSA-g5cg-8x5w-7jpm)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation

Metrics

Fix available