GHSA-fh3f-q9qw-93j9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fh3f-q9qw-93j9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-fh3f-q9qw-93j9/GHSA-fh3f-q9qw-93j9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fh3f-q9qw-93j9
- Aliases
- Published
- 2026-02-19T19:41:07Z
- Modified
- 2026-03-06T01:17:36.347817Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw replaced a deprecated sandbox hash algorithm
- Details
-
Affected Packages / Versions
- npm package:
openclaw - Affected versions:
<= 2026.2.14 - Fixed version (pre-set):
2026.2.15
Description
The sandbox identifier cache key for Docker/browser sandbox configuration used SHA-1 to hash normalized configuration payloads.
SHA-1 is deprecated for cryptographic use and has known collision weaknesses. In this code path, deterministic IDs are used to decide whether an existing sandbox container can be reused safely. A collision in this hash could let one configuration be interpreted as another under the same sandbox cache identity, increasing the risk of cache poisoning and unsafe sandbox state reuse.
The implementation now uses SHA-256 for these deterministic hashes to restore collision resistance for this security-relevant identifier path.
Fix Commit(s)
559c8d993
Release Process Note
patched_versionsis pre-set to2026.2.15for the next release. After that release is published, mark this advisory ready for publication.Thanks @kexinoh ( of Tencent zhuque Lab, by https://github.com/Tencent/AI-Infra-Guard) for reporting.
- npm package:
- Database specific
{ "github_reviewed_at": "2026-02-19T19:41:07Z", "nvd_published_at": "2026-03-05T22:16:22Z", "cwe_ids": [ "CWE-327", "CWE-328" ], "severity": "HIGH", "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fh3f-q9qw-93j9
- https://nvd.nist.gov/vuln/detail/CVE-2026-28479
- https://github.com/openclaw/openclaw/commit/559c8d9930eebb5356506ff1a8cd3dbaec92be77
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
- https://www.vulncheck.com/advisories/openclaw-cache-poisoning-via-deprecated-sha-hash-in-sandbox-configuration
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw