Cyber Resilience

CVE-2026-27002

High

Published: 20 February 2026

Published
20 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27002 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-27002 is a configuration injection vulnerability (CWE-250) in the Docker tool sandbox of OpenClaw, a personal AI assistant. Versions prior to 2026.2.15 are affected, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables the application of dangerous Docker options, including bind mounts, host networking, and unconfined security profiles.

Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows application of these risky options, resulting in container escape or unauthorized access to host data.

OpenClaw version 2026.2.15 mitigates the issue by blocking dangerous sandbox Docker settings, adding runtime enforcement when constructing `docker create` arguments, implementing config-schema validation for options like `network=host`, `seccompProfile=unconfined`, and `apparmorProfile=unconfined`, and surfacing security audit findings for risky Docker configurations. As a workaround, avoid configuring `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, set `agents.*.sandbox.docker.network` to `none` (default) or `bridge`, and do not use `unconfined` for seccomp or AppArmor profiles. Details are available in the GitHub security advisory (GHSA-w235-x559-36mg), release notes for v2026.2.15, and the fixing commit (887b209db47f1f9322fead241a1c0b043fd38339).

EU & UK References

Vulnerability details

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.…

more

OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing AI app (T1190) via config injection that directly permits Docker options for container escape to host (T1611).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26319Same product: Openclaw Openclaw
CVE-2026-25474Same product: Openclaw Openclaw
CVE-2026-26316Same product: Openclaw Openclaw
CVE-2026-26324Same product: Openclaw Openclaw
CVE-2026-27488Same product: Openclaw Openclaw
CVE-2026-26325Same product: Openclaw Openclaw
CVE-2026-32038Same product: Openclaw Openclaw
CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-41394Same product: Openclaw Openclaw
CVE-2026-43573Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-6 enforces and documents secure baseline configuration settings for the Docker sandbox, preventing injection and application of dangerous options like bind mounts, host networking, and unconfined profiles.

prevent

CM-7 restricts the Docker sandbox to least functionality by prohibiting risky features such as host networking, unconfined seccomp/AppArmor profiles, and dangerous bind mounts to mitigate container escape.

prevent

SI-10 validates inputs to the Docker configuration builder and schema, blocking configuration injection attacks that enable unauthorized dangerous Docker options.

References