CVE-2026-27002
Published: 20 February 2026
Summary
CVE-2026-27002 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-27002 is a configuration injection vulnerability (CWE-250) in the Docker tool sandbox of OpenClaw, a personal AI assistant. Versions prior to 2026.2.15 are affected, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables the application of dangerous Docker options, including bind mounts, host networking, and unconfined security profiles.
Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows application of these risky options, resulting in container escape or unauthorized access to host data.
OpenClaw version 2026.2.15 mitigates the issue by blocking dangerous sandbox Docker settings, adding runtime enforcement when constructing `docker create` arguments, implementing config-schema validation for options like `network=host`, `seccompProfile=unconfined`, and `apparmorProfile=unconfined`, and surfacing security audit findings for risky Docker configurations. As a workaround, avoid configuring `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, set `agents.*.sandbox.docker.network` to `none` (default) or `bridge`, and do not use `unconfined` for seccomp or AppArmor profiles. Details are available in the GitHub security advisory (GHSA-w235-x559-36mg), release notes for v2026.2.15, and the fixing commit (887b209db47f1f9322fead241a1c0b043fd38339).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8416
Vulnerability details
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access.…
more
OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of a public-facing AI app (T1190) via config injection that directly permits Docker options for container escape to host (T1611).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
CM-6 enforces and documents secure baseline configuration settings for the Docker sandbox, preventing injection and application of dangerous options like bind mounts, host networking, and unconfined profiles.
CM-7 restricts the Docker sandbox to least functionality by prohibiting risky features such as host networking, unconfined seccomp/AppArmor profiles, and dangerous bind mounts to mitigate container escape.
SI-10 validates inputs to the Docker configuration builder and schema, blocking configuration injection attacks that enable unauthorized dangerous Docker options.