"details": "### Summary\nIn `openclaw@2026.2.23`, sandbox network hardening blocks `network=host` but still allows `network=container:<id>`.\n\nThis can let a sandbox join another container's network namespace and reach services available in that namespace.\n\n### Preconditions and Trust Model Context\nThis issue requires a trusted-operator configuration path (for example setting `agents.defaults.sandbox.docker.network` in gateway config). It is not an unauthenticated remote exploit by itself.\n\n### Details\nCurrent validation blocks only `host`, while forwarding other values to Docker create args:\n\n- `validateNetworkMode(network)` only rejects values in `BLOCKED_NETWORK_MODES = {\"host\"}`.\n- `buildSandboxCreateArgs(...)` validates then forwards `cfg.network` into `--network`.\n- Browser sandbox helper also treats `container:` as an accepted mode in network preparation.\n\nEffective behavior:\n\n- `host` -> blocked\n- `container:<id>` -> accepted and forwarded\n\n### Impact\nType: sandbox network isolation hardening bypass.\n\nPractical impact depends on deployment:\n\n- Requires ability to influence trusted sandbox network config.\n- Higher impact when a target container exposes privileged/internal network reachability.\n\n### Remediation\nBlock namespace-join style network modes (including `container:<id>`) for sandbox containers, and keep strict allowlisting for safe network modes.\n\n\n### Patch Status\nFixed on `main` in commit `14b6eea6e`:\nhttps://github.com/openclaw/openclaw/commit/14b6eea6e\n\nFollow-up refactor/cleanup (no policy rollback):\nhttps://github.com/openclaw/openclaw/commit/5552f9073\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments