CVE-2026-32018

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19

Description The software contains a race condition in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. This occurs due to unsynchronized read-modify-write operations without locking, potentially leading to data loss, resurrection of removed entries, or corruption of sandbox state. This can affect sandbox list, sandbox prune, and sandbox recreate --all operations. The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, allowing concurrent registry updates to produce stale snapshots and overwrite each other, desynchronizing sandbox state.

Recommendations Update to version 2026.2.18 or later. Update to version 2026.2.19 or later. For versions prior to 2026.2.18, consider temporarily restricting concurrent access to the registry update and removal operations.