CVE-2026-41329CRITICAL 9.9EPSS p21.3%

CVE-2026-41329CVE-2026-41329

Description

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.3% · 2026-06-18T12:00:27Z
Published2026-04-21
Last modified2026-04-27

Underlying weaknesses· 1

CWE-648

References

  1. https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm
  3. https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation

1

TypeTargetConfidenceTier
WeaknessIncorrect Use of Privileged APIscwe-6480%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-43578
CVE
CVE-2026-43566
CVE
CVE-2026-32914
CVE
CVE-2026-32915
CVE
CVE-2026-41378
CVE
CVE-2026-32918
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.