GHSA-9Q36-67VC-RRWG: Sandbox Escape via Slash Command in OpenClaw ACP

OpenClaw is an artificial intelligence agent infrastructure platform that isolates untrusted agent executions within a sandboxed environment. The platform features an Agent Control Plane (ACP) designed to execute high-privilege tasks directly on the host runtime. To maintain security boundaries, OpenClaw enforces strict isolation between standard sandboxed sessions and the privileged ACP host environment.

A logic flaw exists in OpenClaw versions prior to 2026.3.7 that allows authenticated users in sandboxed sessions to bypass execution restrictions. The vulnerability manifests as an inconsistent security policy enforcement mechanism between different application entry points. While the programmatic API correctly validates session privileges before spawning host-level agents, the application's chat interface command handler fails to perform these required checks.

This authorization bypass enables a sandboxed session to initialize host-level ACP sessions. By exploiting this flaw, an attacker effectively crosses the isolation boundary, escalating privileges from a restricted sandbox to the underlying host system. The severity of the impact is directly tied to the execution context of the OpenClaw service itself.

The root cause of GHSA-9Q36-67VC-RRWG is an inconsistent implementation of authorization checks across different application entry points. OpenClaw exposes multiple methods for spawning agent sessions, including a programmatic API sessions_spawn() and a chat interface slash command /acp spawn. The programmatic API implements strict runtime policy verification, explicitly blocking sandboxed sessions from requesting the acp runtime context.

The vulnerability resides within the handleAcpSpawnAction function located in src/auto-reply/reply/commands-acp/lifecycle.ts. This handler processes the /acp spawn command originating from integrated chat interfaces such as Discord. When a user issues this command, the handler directly invokes the session initialization routines without verifying the sandboxed property of the requesting user's session context.

Conversely, the backend function spawnAcpDirect located in src/agents/acp-spawn.ts contains authorization checks, but these checks rely entirely on the context passed by the upstream caller. Because the command handler path fails to extract and pass the sandbox constraints accurately, the host-level process creation executes without interference. This disjointed architecture creates a functional bypass of the intended isolation policies.

The patch implemented in commit 61000b8e4ded919ca1a825d4700db4cb3fdc56e3 addresses the vulnerability by centralizing runtime policy verification. The developers introduced a new helper function, resolveAcpSpawnRuntimePolicyError, within src/agents/acp-spawn.ts. This function unifies the security checks, ensuring that all entry points evaluate the requester's sandbox status consistently before permitting ACP session creation.

export function resolveAcpSpawnRuntimePolicyError(params: {
  cfg: OpenClawConfig;
  requesterSessionKey?: string;
  requesterSandboxed?: boolean;
  sandbox?: SpawnAcpSandboxMode;
}): string | undefined {
  const requesterRuntime = resolveSandboxRuntimeStatus({
    cfg: params.cfg,
    sessionKey: params.requesterSessionKey,
  });
  const requesterSandboxed = params.requesterSandboxed === true || requesterRuntime.sandboxed;
  if (requesterSandboxed) {
    return 'Sandboxed sessions cannot spawn ACP sessions because runtime="acp" runs on the host. Use runtime="subagent" from sandboxed sessions.';
  }
  // additional validation logic
}

The patch integrates this centralized validation directly into the previously vulnerable handleAcpSpawnAction command path located in src/auto-reply/reply/commands-acp/lifecycle.ts. By invoking resolveAcpSpawnRuntimePolicyError and halting execution if a policy violation is detected, the command handler now enforces the same restrictions as the programmatic API.

const runtimePolicyError = resolveAcpSpawnRuntimePolicyError({
  cfg: params.cfg,
  requesterSessionKey: params.sessionKey,
});
 
if (runtimePolicyError) {
  return stopWithText(`⚠️ ${runtimePolicyError}`);
}

Exploitation of this vulnerability requires the attacker to possess an active, authenticated session within the OpenClaw environment. This session must be explicitly restricted, operating as a standard unprivileged user account or explicitly marked with the sandbox: "require" configuration. The attacker also needs access to a connected chat interface, such as Discord, that routes commands to the OpenClaw instance.

The attack sequence begins with the malicious user submitting the /acp spawn <agentId> slash command through the chat interface. The OpenClaw routing mechanism processes the text input and directs it to the vulnerable handleAcpSpawnAction function. Due to the missing authorization check, the application interprets the command as a legitimate request for host-level execution.

Upon successful execution, the OpenClaw service initializes the specified ACP agent directly on the host machine. The attacker gains execution capabilities outside the boundaries of the isolated runtime. This methodology relies entirely on the application's logic flaw, requiring no memory corruption or advanced exploitation techniques.

The primary impact of this vulnerability is a complete escape from the intended sandbox environment. By bypassing the restricted runtime policies, an attacker transitions their execution context from an isolated container to the underlying host machine. This represents a significant failure of the platform's core security model and isolation guarantees.

Once an ACP agent is spawned on the host, it operates with the same system privileges as the OpenClaw service itself. If the OpenClaw infrastructure runs as a highly privileged user or the root account, the attacker gains full administrative control over the host operating system. This access permits arbitrary file read and write operations, persistent backdoor installation, and interference with other processes running on the system.

Even if the OpenClaw service operates with reduced privileges, host-level access provides a substantial platform for lateral movement. The attacker can access sensitive environment variables, extract database credentials, and interact with internal network resources that were previously protected by the sandbox isolation layer. This significantly expands the blast radius of a compromised sandboxed session.

To remediate this vulnerability, administrators must upgrade all OpenClaw instances to version 2026.3.7 or later. This release contains the unified policy enforcement logic required to prevent sandboxed sessions from abusing the slash command interfaces. Package managers should be updated to reflect the openclaw@2026.3.7 dependency to ensure the patch is applied across all deployments.

For environments where immediate patching is not feasible, administrators can apply configuration-based workarounds. Modifying the openclaw.yaml configuration file to set acp.enabled: false will globally disable the Agent Control Plane feature. This action mitigates the vulnerability by entirely removing the host-level execution capability, though it may disrupt legitimate administrative workflows relying on ACP features.

Post-remediation, security teams should utilize the built-in openclaw security audit --deep --fix utility available in newer releases. This command scans the host environment for misconfigurations and hardens the runtime against unauthorized state changes. Administrators should also review system logs for historical usage of the /acp spawn command originating from restricted session IDs to identify potential prior exploitation.