Description
OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. Attackers can exploit unsynchronized read-modify-write operations without locking to cause registry updates to lose data, resurrect removed entries, or corrupt sandbox state affecting list, prune, and recreate operations.
Published: 2026-03-19
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Integrity Impact
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.19 contain a race condition between concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. The lack of synchronization for read‑modify‑write sequences allows attackers to cause registry updates to lose data, resurrect removed entries, or corrupt the sandbox state, impacting list, prune, and recreate operations. This weakness is identified as CWE‑362.

Affected Systems

Affected systems are installations of OpenClaw running any version before 2026.2.19, as indicated by the known version information. The vendor product is OpenClaw:OpenClaw as listed in the CPE string.

Risk and Exploitability

The CVSS score for this vulnerability is 2.0, indicating low severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires concurrent access to registry update functions, the likely attack vector involves an attacker who can trigger simultaneous sandbox or browser sessions. While the immediate risk to confidentiality is low, the integrity and availability of sandbox configurations can be compromised if the race condition is exploited.

Generated by OpenCVE AI on March 19, 2026 at 23:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply the latest OpenClaw update (version 2026.2.19 or newer).
  • If a patch is not immediately available, limit execution of sandbox containers and browsers that may trigger concurrent registry updates until the update is applied.

Generated by OpenCVE AI on March 19, 2026 at 23:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gq83-8q7q-9hfx OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
History

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. Attackers can exploit unsynchronized read-modify-write operations without locking to cause registry updates to lose data, resurrect removed entries, or corrupt sandbox state affecting list, prune, and recreate operations.
Title OpenClaw < 2026.2.19 - Race Condition in Sandbox Registry Write Operations
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-362
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T14:59:14.566Z

Reserved: 2026-03-10T19:48:40.708Z

Link: CVE-2026-32018

cve-icon Vulnrichment

Updated: 2026-03-20T14:59:04.949Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:35.463

Modified: 2026-04-20T14:03:44.843

Link: CVE-2026-32018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:26Z

Weaknesses