Primary

Context

OpenClaw Cache Poisoning Vulnerability via Deprecated SHA-1 Hashing in Sandbox Configurations

Vulnerability

A cache poisoning vulnerability has been identified in OpenClaw versions prior to 2026.2.15. The issue arises because these versions use SHA-1 to hash sandbox identifier cache keys for Docker and browser configurations. SHA-1 is deprecated and susceptible to collision attacks, which an attacker could exploit to poison the cache. This would allow one sandbox configuration to be misrepresented as another, leading to unsafe reuse of sandbox states.

Impact

Exploitation of this vulnerability could result in cache poisoning, where one sandbox configuration is incorrectly recognized as another. This misrepresentation could allow for the unsafe reuse of sandbox states, potentially leading to security risks such as container escape.

Remediation

Users can upgrade to OpenClaw version 2026.2.15 or later to address this vulnerability.

Added: Mar 5, 2026, 10:28 PM

Updated: Mar 5, 2026, 10:28 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.5

remediation

0.0

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.5

remediation

0.0

relevance

3.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Cache Poisoning Vulnerability via Deprecated SHA-1 Hashing in Sandbox Configurations

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating