CVE-2026-28479

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15

Description The software uses SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations. SHA-1 is a deprecated cryptographic hash function with known collision weaknesses. A collision in this hash could allow an attacker to cause cache poisoning, potentially leading to unsafe sandbox state reuse. The software uses deterministic IDs to determine if an existing sandbox container can be safely reused. Exploiting this issue could allow one configuration to be misinterpreted as another under the same sandbox cache identity. The implementation has been updated to use SHA-256 for these hashes to restore collision resistance.

Recommendations Update to version 2026.2.15 or later.