CVSS 9.93 sources verified·1 min read
By Lyrie Threat Intelligence·4/27/2026
CRITICAL: CVE-2026-41329 (CVSS 9.9) — openclaw openclaw
CVE: CVE-2026-41329
CVSS: 9.9 (3.1) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL
Status: Critical advisory
Affected
- openclaw openclaw
Summary
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.
Verified Sources
References
- https://github.com/openclaw/openclaw/commit/a30214a624946fc5c85c9558a27c1580172374fd
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm
- https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-via-heartbeat-context-inheritance-and-senderisowner-escalation
_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._
Lyrie Verdict
A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.
Validated sources
- [1]NVD
- [2]GitHub Advisory
- [3]MITRE