OpenClaw Docker Configuration Injection Vulnerability Allowing Container Escape

A configuration injection vulnerability has been identified in OpenClaw, a personal AI assistant, affecting versions through 2026.2.14. This vulnerability resides in the Docker tool sandbox, where it could allow the injection of dangerous Docker options such as bind mounts, host networking, and unconfined security profiles. Such configurations could lead to unauthorized access to host data or allow containers to escape their isolated environments. The issue arises from inadequate validation of sandbox Docker settings, which could be exploited by manipulating the Docker configuration or by an operator inadvertently pasting untrusted config.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive host paths, such as system directories or the Docker socket. It could also allow the use of host networking to bypass container isolation, or the application of unconfined seccomp or AppArmor profiles to weaken security restrictions, potentially leading to full control over the host via Docker socket exposure.

Reproduction

The vulnerability can be reproduced by configuring the Docker sandbox in OpenClaw versions prior to 2026.2.15 to include dangerous options such as bind mounts of system directories or Docker socket paths, host networking, or unconfined seccomp or AppArmor profiles. This can be done by manually editing the sandbox configuration to include these settings, or by pasting untrusted config that introduces them.

Remediation

Users can update to OpenClaw version 2026.2.15 or later, where this vulnerability has been addressed. After updating, review and adjust the Docker sandbox configuration to remove any dangerous settings. Ensure that 'agents.*.sandbox.docker.binds' does not mount system directories or Docker socket paths, keep 'agents.*.sandbox.docker.network' set to 'none' or 'bridge', and avoid using 'unconfined' for seccomp or AppArmor profiles.