CVE-2026-27007

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15

Description OpenClaw is a personal AI assistant. Prior to version 2026.2.15, the normalizeForHash function in src/agents/sandbox/config-hash.ts recursively sorted arrays containing only primitive values. This resulted in order-sensitive sandbox configuration arrays hashing to the same value even when the order changed. In OpenClaw sandbox flows, this hash determines whether existing sandbox containers are recreated. Consequently, changes to array order in the configuration (for example, Docker dns and binds array order) could be considered unchanged, leading to the reuse of potentially stale containers. This represents a configuration integrity issue affecting sandbox recreation behavior. Starting with version 2026.2.15, array ordering is preserved during hash normalization, with only object key ordering normalized for deterministic hashing.

Recommendations Update OpenClaw to version 2026.2.15 or later.