GHSA-9Q36-67VC-RRWG: Sandbox Escape via Slash Command in OpenClaw ACP
Vulnerability ID: GHSA-9Q36-67VC-RRWG
CVSS Score: 6.5
Published: 2026-03-09
A logic flaw in the OpenClaw agent infrastructure platform allows sandboxed sessions to bypass isolation policies. By utilizing the /acp spawn slash command via integrated chat interfaces, restricted users can initialize high-privilege Agent Control Plane (ACP) sessions directly on the host runtime.
TL;DR
OpenClaw versions prior to 2026.3.7 fail to enforce sandbox restrictions on the /acp spawn slash command, allowing restricted users to execute agents on the underlying host system and escape the sandbox.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-285
- Attack Vector: Network (Chat Interface Command)
- Impact: Privilege Escalation / Sandbox Escape
- Exploit Status: Proof of Concept
- Authentication Required: Yes (Sandboxed Session)
Affected Systems
- OpenClaw Platform
- OpenClaw Agent Control Plane (ACP)
-
openclaw: < 2026.3.7 (Fixed in:
2026.3.7)
Code Analysis
Commit: 61000b8
Centralize ACP spawn validation and fix sandbox bypass in slash commands
Mitigation Strategies
- Upgrade OpenClaw package to patched version
- Disable the Agent Control Plane (ACP) via configuration if not actively required
- Execute platform security audit tools to harden the runtime environment
Remediation Steps:
- Update the openclaw dependency in your project to v2026.3.7 or higher.
- If patching is delayed, open openclaw.yaml and set 'acp.enabled: false'.
- Restart the OpenClaw service to apply configuration or version changes.
- Run 'openclaw security audit --deep --fix' to verify environmental hardening.
References
- GitHub Advisory: GHSA-9Q36-67VC-RRWG
- Fix Commit: 61000b8e4ded919ca1a825d4700db4cb3fdc56e3
- OpenClaw v2026.3.7 Release Notes
- OpenClaw Documentation: ACP Agents
Read the full report for GHSA-9Q36-67VC-RRWG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)