OpenClaw Sandbox Registry Can Lose Updates or Restore Deleted Entries

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

OpenClaw Sandbox Registry Can Lose Updates or Restore Deleted Entries

GHSA-gq83-8q7q-9hfx

Summary

The OpenClaw sandbox registry can become outdated or corrupted when multiple users update or delete entries at the same time. This can cause issues with listing, pruning, or recreating sandbox environments. To fix this, update to version 2026.2.18 or later.

What to do

Update openclaw to version 2026.2.19.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.2.19	2026.2.19

Original title

OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption

Original description

## Impact

Concurrent `updateRegistry`/`removeRegistryEntry` operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions.

The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry updates could produce stale snapshots and overwrite each other.

That desyncs sandbox state and can affect `sandbox list`, `sandbox prune`, and `sandbox recreate --all` behavior.

## Affected Packages / Versions

- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.17`
- Patched versions: `2026.2.18`

## Fix Commit(s)

- `cc29be8c9`

OpenClaw thanks @kexinoh for reporting.

ghsa CVSS4.0 6.9

Vulnerability type

CWE-362 Race Condition

Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026