Cyber Resilience

CVE-2026-41329

CriticalPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 9.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41329 is a critical-severity Incorrect Use of Privileged APIs (CWE-648) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-41329 is a sandbox bypass vulnerability in OpenClaw versions prior to 2026.3.31, stemming from improper context validation in heartbeat context inheritance and senderIsOwner parameter manipulation. This flaw, associated with CWE-648, enables attackers to circumvent sandbox restrictions and escalate privileges. The vulnerability received a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), highlighting its critical severity due to network accessibility, low complexity, and high impact across confidentiality, integrity, and availability with a changed scope. It was published on 2026-04-21.

A low-privileged remote attacker (PR:L) can exploit this vulnerability over the network without user interaction. By manipulating the senderIsOwner parameter and leveraging heartbeat context inheritance, the attacker bypasses sandbox boundaries, achieving unauthorized privilege escalation. Successful exploitation grants high-level access, potentially compromising the entire system.

Mitigation involves updating to OpenClaw version 2026.3.31 or later, as detailed in the project's GitHub security advisory (GHSA-g5cg-8x5w-7jpm) and the fixing commit (a30214a624946fc5c85c9558a27c1580172374fd). Additional guidance is available in the VulnCheck advisory, emphasizing prompt patching to address the context validation issues.

EU & UK References

Vulnerability details

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Sandbox bypass via context validation flaw and parameter manipulation directly enables privilege escalation from low-privileged remote access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35663Same product: Openclaw Openclaw
CVE-2026-35625Same product: Openclaw Openclaw
CVE-2026-35669Same product: Openclaw Openclaw
CVE-2026-35639Same product: Openclaw Openclaw
CVE-2026-35645Same product: Openclaw Openclaw
CVE-2026-41386Same product: Openclaw Openclaw
CVE-2026-35638Same product: Openclaw Openclaw
CVE-2026-43578Same product: Openclaw Openclaw
CVE-2026-41404Same product: Openclaw Openclaw
CVE-2026-41344Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the sandbox bypass vulnerability by requiring timely remediation and patching of the improper context validation flaw in OpenClaw prior to version 2026.3.31.

prevent

Implements a reference monitor to mediate all access decisions and enforce sandbox policies, preventing privilege escalation via heartbeat context inheritance and senderIsOwner manipulation.

prevent

Enforces process isolation to maintain sandbox boundaries, countering context inheritance exploits that bypass restrictions and enable unauthorized privilege escalation.

References