CVE-2026-32046

Description

## Summary Sandbox browser container launched Chromium with `--no-sandbox` by default, disabling Chromium's OS-level sandbox protections. ## Affected Packages / Versions - Package: `openclaw` (npm ecosystem) - Latest published npm version at triage time (2026-02-21): `2026.2.19-2` - Affected range: `<= 2026.2.19-2` - Planned patched version for next release: `2026.2.21` ## Impact When `--no-sandbox` is enabled by default, renderer compromise no longer requires a separate sandbox escape. This weakens container browser isolation and increases impact from renderer-side bugs. ## Resolution - Default `--no-sandbox` removed from sandbox browser entrypoint. - Explicit opt-in added via `OPENCLAW_BROWSER_NO_SANDBOX` / `CLAWDBOT_BROWSER_NO_SANDBOX`. - Browser container hash migration + security audit checks added so stale containers are surfaced and can be recreated safely. ## Fix Commit(s) - e7eba01efc4c3c400e9cfd3ce3d661cbc788a631 - 1835dec2004fe7a62c6a7ba46b8485f124ec6199 ## Release Process Note The advisory `patched_versions` field is pre-set to the planned next release (`2026.2.21`). After npm release publication, only advisory publish action should remain. OpenClaw thanks @TerminalsandCoffee for reporting.

How to fix CVE-2026-32046

To remediate CVE-2026-32046, upgrade the affected package to a fixed version below.

• —upgrade to 2026.2.21 or later

Is CVE-2026-32046 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.2.21

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32046
• PATCHgithub.com/openclaw/openclaw
• WEBgithub.com/openclaw/openclaw/commit/1835dec2004fe7a62c6a7ba46b8485f124ec6199
• WEBgithub.com/openclaw/openclaw/commit/e7eba01efc4c3c400e9cfd3ce3d661cbc788a631