{"data":{"id":"e1ac2f67-5b5c-4e8c-9344-aa98b6a9fbf0","title":"GHSA-fh3f-q9qw-93j9: OpenClaw replaced a deprecated sandbox hash algorithm","summary":"OpenClaw, an npm package, used SHA-1 (an outdated hashing algorithm with known weaknesses) to create identifiers for Docker and browser sandbox configurations. An attacker could exploit hash collisions (two different configurations producing the same hash) to trick the system into reusing the wrong sandbox, leading to cache poisoning (corrupting stored data) and unsafe sandbox reuse.","solution":"Update to version 2026.2.15 or later. The fix replaces SHA-1 with SHA-256 (a stronger hashing algorithm with better collision resistance) for generating these sandbox identifiers.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-fh3f-q9qw-93j9","publishedAt":"2026-02-19T19:41:07.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["openclaw@<= 2026.2.14 (fixed: 2026.2.15)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.72,"researchCategory":null,"atlasIds":null}}