← The Wire

Security2026-04-21 · source-backed

CVE-2026-41329: OpenClaw Sandbox Bypass, CVSS 9.9.

Confidence
source-backed
Sources
1
Redaction
redacted

Story

Published April 21, this critical flaw lets attackers escalate privileges by manipulating heartbeat context inheritance in OpenClaw before version 2026.3.31. This is the latest in a string of 9 CVEs disclosed in 4 days back in March. If you're running OpenClaw in production, patch immediately.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Earlier coverage

    AI-Generated Code CVEs Hit 35 in March. That's 6x January's Count, and the Trend Line Isn't Flattening.

    Both cover CVE, CVEs, CVSS, March; earlier CVE coverage from 2026-03-29.

  2. Shared entities / Same source domain / Shared topic / Earlier coverage

    MCP Security Debt Hits Critical Mass: 30+ CVEs in 60 Days, PraisonAI CVSS 10, Azure AI Foundry CVSS 10

    Both cover CVE, CVEs, CVSS; reported by the same outlet (thehackerwire.com); overlapping topics (cves, cvss, days).

  3. CVE-2026-32051: OpenClaw Authorization Mismatch (CVSS 8.8)

    Both cover CVE, CVSS, OpenClaw; reported by the same outlet (thehackerwire.com); overlapping topics (cvss, immediately, openclaw).

  4. Shared entities / Shared topic / Earlier coverage

    n8n Has Four Critical CVEs, CISA Deadline Is Today, and 71,537 Instances Are Exposed

    Both cover CVE, CVEs, CVSS, March; overlapping topics (cves, cvss); earlier CVE coverage from 2026-03-25.

  5. Shared entities / Same source domain / Earlier coverage

    CVE-2026-33010: Any Website Can Read and Delete Your Agent's Memories

    Both cover CVE, CVEs, CVSS, March; reported by the same outlet (thehackerwire.com); earlier CVE coverage from 2026-03-21.

  6. Shared entities / Same source domain / Shared topic / Earlier coverage

    CVE-2026-33010: High-Severity Vulnerability in mcp-memory-service

    Both cover CVE, CVSS, March; reported by the same outlet (thehackerwire.com); overlapping topics (cvss, disclosed).

  7. Shared entities / Shared topic / Earlier coverage

    XBOW AI Agent Discovers CVSS 9.8 Windows RCE Without Source Code

    Both cover CVE, CVEs, CVSS; overlapping topics (attacker, critical, cvss); earlier CVE coverage from 2026-03-11.

  8. Shared entities / Shared topic / What happened next

    AI-generated CVEs hit 56 in Q1 2026. March alone (35) exceeded all of 2025 combined.

    Both cover CVEs, CVSS, March; overlapping topics (cves, cvss); picks up the CVEs thread on 2026-04-30.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-04-21-cve-2026-41329-openclaw-sandbox-bypass-cvss-9-9
Labels
source-backed, canonical briefing excerpt