GHSA-gq83-8q7q-9hfx

Suggest an improvement
Source
https://github.com/advisories/GHSA-gq83-8q7q-9hfx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-gq83-8q7q-9hfx/GHSA-gq83-8q7q-9hfx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gq83-8q7q-9hfx
Aliases
Downstream
Published
2026-03-03T23:32:49Z
Modified
2026-05-05T15:58:31.396736Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
Details

Impact

Concurrent updateRegistry/removeRegistryEntry operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions.

The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry updates could produce stale snapshots and overwrite each other.

That desyncs sandbox state and can affect sandbox list, sandbox prune, and sandbox recreate --all behavior.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.17
  • Patched versions: 2026.2.18

Fix Commit(s)

  • cc29be8c9

OpenClaw thanks @kexinoh for reporting.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T23:32:49Z",
    "cwe_ids": [
        "CWE-362"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-19T22:16:35Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.2.19

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-gq83-8q7q-9hfx/GHSA-gq83-8q7q-9hfx.json"