GHSA-Q94V-V6M9-JHQ9 Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-43x4-g22p-3hrq. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to...

CVE-2026-32046

OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the...

PT-2026-26729

OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the...

CVE-2026-28479 OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration

OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be...

CVE-2026-28479

OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be...

CVE-2026-28479

OpenClaw before 2026.2.15 hashes sandbox cache keys with SHA-1, introducing collision risks that can poison cache and cause unsafe sandbox state reuse. Affected: OpenClaw versions prior to 2026.2.15. Root cause: deprecated SHA-1-based hashing of Docker/browser sandbox configuration identifiers. I...

PT-2026-26414

A workspace-only file-system guard mismatch allowed @-prefixed absolute paths to bypass boundary validation in some tool path checks. Impact When tools.fs.workspaceOnly=true, certain @-prefixed absolute paths for example @/etc/passwd could be validated before canonicalization while runtime path...

CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

PT-2026-20968

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, normalizeForHash in src/agents/sandbox/config-hash.ts recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw...

DSPy does not properly restrict file reads

The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class...