OpenClaw Race Condition Vulnerability in Sandbox Registry Operations

A race condition vulnerability has been identified in OpenClaw versions prior to 2026.2.19. This vulnerability arises from concurrent 'updateRegistry' and 'removeRegistryEntry' operations for sandbox containers and browsers, leading to unsynchronized read-modify-write actions. Attackers can exploit this lack of locking, causing registry updates to lose data, resurrect deleted entries, or corrupt the sandbox state. Such corruption can disrupt 'sandbox list', 'prune', and 'recreate' operations.

Impact

Exploitation of this vulnerability can cause registry updates to be lost, deleted entries to be resurrected, or the sandbox state to become corrupted, disrupting various sandbox operations.

Reproduction

The vulnerability can be reproduced by performing concurrent 'updateRegistry' and 'removeRegistryEntry' operations on sandbox containers or browsers. This can be done by manually triggering these operations at the same time or by using a script that sends simultaneous requests to update and remove registry entries. The absence of synchronization will allow one operation to interfere with the other, causing data loss or corruption.

Remediation

Users can update to OpenClaw version 2026.2.19 or later, where this vulnerability has been patched.