CVE-2026-32038CRITICAL 9.0EPSS p17.7%

CVE-2026-32038CVE-2026-32038

Description

OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container:<id> values to reach services in target container namespaces and bypass network hardening controls.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.27% probability of exploitation · percentile 17.7% · 2026-06-19T12:03:05Z
Published2026-03-19
Last modified2026-03-23

Underlying weaknesses· 1

CWE-284

References

  1. https://github.com/openclaw/openclaw/security/advisories/GHSA-ww6v-v748-x7g9
  2. https://www.vulncheck.com/advisories/openclaw-sandbox-network-isolation-bypass-via-docker-network-container-parameter

1

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32048
CVE
CVE-2026-42434
CVE
CVE-2026-27002
CVE
CVE-2026-32064
CVE
CVE-2026-32046
CVE
CVE-2026-35650
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.