CVE-2026-27002
Published: 20 February 2026
Summary
CVE-2026-27002 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
CM-6 enforces and documents secure baseline configuration settings for the Docker sandbox, preventing injection and application of dangerous options like bind mounts, host networking, and unconfined profiles.
CM-7 restricts the Docker sandbox to least functionality by prohibiting risky features such as host networking, unconfined seccomp/AppArmor profiles, and dangerous bind mounts to mitigate container escape.
SI-10 validates inputs to the Docker configuration builder and schema, blocking configuration injection attacks that enable unauthorized dangerous Docker options.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of a public-facing AI app (T1190) via config injection that directly permits Docker options for container escape to host (T1611).
NVD Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.…
more
OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.
Deeper analysisAI
CVE-2026-27002 is a configuration injection vulnerability (CWE-250) in the Docker tool sandbox of OpenClaw, a personal AI assistant. Versions prior to 2026.2.15 are affected, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables the application of dangerous Docker options, including bind mounts, host networking, and unconfined security profiles.
Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows application of these risky options, resulting in container escape or unauthorized access to host data.
OpenClaw version 2026.2.15 mitigates the issue by blocking dangerous sandbox Docker settings, adding runtime enforcement when constructing `docker create` arguments, implementing config-schema validation for options like `network=host`, `seccompProfile=unconfined`, and `apparmorProfile=unconfined`, and surfacing security audit findings for risky Docker configurations. As a workaround, avoid configuring `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, set `agents.*.sandbox.docker.network` to `none` (default) or `bridge`, and do not use `unconfined` for seccomp or AppArmor profiles. Details are available in the GitHub security advisory (GHSA-w235-x559-36mg), release notes for v2026.2.15, and the fixing commit (887b209db47f1f9322fead241a1c0b043fd38339).
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai