GHSA-fh3f-q9qw-93j9: OpenClaw replaced a deprecated sandbox hash algorithm
mediumvulnerability
security
Source: GitHub Advisory DatabaseFebruary 19, 2026
Summary
OpenClaw, an npm package, used SHA-1 (an outdated hashing algorithm with known weaknesses) to create identifiers for Docker and browser sandbox configurations. An attacker could exploit hash collisions (two different configurations producing the same hash) to trick the system into reusing the wrong sandbox, leading to cache poisoning (corrupting stored data) and unsafe sandbox reuse.
Solution / Mitigation
Update to version 2026.2.15 or later. The fix replaces SHA-1 with SHA-256 (a stronger hashing algorithm with better collision resistance) for generating these sandbox identifiers.
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrity
AI Component TargetedInference
Affected Vendors
Affected Packages
openclaw@<= 2026.2.14 (fixed: 2026.2.15)
Related Issues
Original source: https://github.com/advisories/GHSA-fh3f-q9qw-93j9
First tracked: February 19, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 72%