Listen to this Post
The vulnerability resides in the `normalizeForHash` function within src/agents/sandbox/config-hash.ts. This function was designed to create a deterministic hash from a sandbox configuration object to decide if a running container needs to be recreated. To achieve determinism, it recursively sorted the keys of objects. However, it also recursively sorted the elements of any arrays it encountered, provided those arrays contained only primitive values (like strings or numbers). This array-sorting behavior introduced a critical flaw: order-sensitive configuration changes were ignored. In OpenClaw, the sandbox configuration includes Docker options such as `dns` servers and `binds` for volume mounts, which are arrays where the order can be significant for correct operation. Because the function sorted these arrays before hashing, a configuration change that only reordered the `dns` or `binds` list produced the exact same hash as the previous configuration. Consequently, the system incorrectly determined that no changes had been made and reused the existing, stale sandbox container instead of recreating it with the new configuration order. This results in a configuration integrity issue, potentially leading to an inconsistent or unintended environment for the AI agent .
Platform: OpenClaw (npm)
Version: <=2026.2.14
Vulnerability : Config Integrity
Severity: Medium
date: 2026-02-18
Prediction: Patched 2026-02-15
What Undercode Say:
Analytics
This vulnerability can be analyzed by inspecting the hash function’s behavior and comparing it to the container orchestration logic.
1. Inspect the vulnerable function (conceptually):
This is a conceptual representation of the vulnerable logic.
The actual code is in src/agents/sandbox/config-hash.ts
echo "
function normalizeForHash(obj) {
if (Array.isArray(obj) && obj.every(v => typeof v !== 'object')) {
// Vulnerable: sorts arrays of primitives
return [...obj].sort();
}
// ... rest of the function
}"
2. Simulate the vulnerable hashing logic:
Simulate two configs with different array orders
node -e "
const crypto = require('crypto');
const config1 = { dns: ['8.8.8.8', '1.1.1.1'], binds: ['/data:/data', '/tmp:/tmp'] };
const config2 = { dns: ['1.1.1.1', '8.8.8.8'], binds: ['/tmp:/tmp', '/data:/data'] };
const hash1 = crypto.createHash('sha256').update(JSON.stringify(config1)).digest('hex');
const hash2 = crypto.createHash('sha256').update(JSON.stringify(config2)).digest('hex');
console.log('Without vulnerable sort, hashes are different:');
console.log('Hash1:', hash1);
console.log('Hash2:', hash2);
console.log('Hashes equal?', hash1 === hash2);
// Simulate the vulnerable normalizeForHash by sorting arrays
function vulnerableNormalize(obj) {
if (Array.isArray(obj) && obj.every(v => typeof v !== 'object')) {
return [...obj].sort(); // The flaw
}
if (obj && typeof obj === 'object') {
const newObj = {};
Object.keys(obj).sort().forEach(key => {
newObj[bash] = vulnerableNormalize(obj[bash]);
});
return newObj;
}
return obj;
}
const normConfig1 = vulnerableNormalize(config1);
const normConfig2 = vulnerableNormalize(config2);
const vulnHash1 = crypto.createHash('sha256').update(JSON.stringify(normConfig1)).digest('hex');
const vulnHash2 = crypto.createHash('sha256').update(JSON.stringify(normConfig2)).digest('hex');
console.log('\nWith vulnerable sort, hashes become identical:');
console.log('Vuln Hash1:', vulnHash1);
console.log('Vuln Hash2:', vulnHash2);
console.log('Vulnerable hashes equal?', vulnHash1 === vulnHash2);
"
3. Check current version and logs for stale container reuse:
Check OpenClaw version openclaw --version Inspect OpenClaw daemon logs for evidence of container reuse decisions Look for messages about "reusing existing container" despite config changes journalctl -u openclaw --since "2026-02-01" | grep -i "reuse.container" Or check specific sandbox logs cat ~/.openclaw/logs/sandbox.log | grep -E "config hash|recreating container|reusing container"
4. Verify the fix is applied:
Check if the installed version contains the fix commit npm list openclaw After upgrading, you can verify the patch by checking the commit history Go to your local OpenClaw node_modules directory and check the log cd node_modules/openclaw git log --oneline | grep 41ded303b4f6dae5afa854531ff837c3276ad60b
Exploit
While not directly exploitable for code execution, an attacker who can influence the order of array-based configuration parameters (e.g., via a configuration management system or a malicious configuration file) can cause a sandbox to run with a different configuration than intended by the operator, leading to inconsistent or insecure behavior.
Example of a configuration change that would be ignored Original config in openclaw.yaml sandbox: docker: dns: - 8.8.8.8 - 1.1.1.1 binds: - /safe-data:/data:ro - /unsafe-data:/data:rw Malicious reordering (or reordering through a compromised process) The hash remains the same, so the container is not recreated The running container will still use the original order sandbox: docker: dns: - 1.1.1.1 Order swapped - 8.8.8.8 binds: - /unsafe-data:/data:rw Now the read-write bind is processed first - /safe-data:/data:ro Command to apply a new config that should trigger a recreation openclaw config set --file malicious_config.yaml If vulnerable, the logs will show that the container was reused instead of being recreated with the new order grep "reusing container" ~/.openclaw/logs/sandbox.log
Protection from this CVE
The primary protection is to upgrade to the patched version where array ordering is preserved during hash normalization.
1. Upgrade to the patched version:
Upgrade OpenClaw globally via npm to version 2026.2.15 or later npm install -g openclaw@latest Verify the upgrade npm list -g openclaw --depth=0
2. If an immediate upgrade is not possible, apply a temporary workaround:
Force a container recreation by manually stopping and removing sandbox containers when you make order-sensitive changes. This ensures a fresh container is created. List OpenClaw sandbox containers docker ps -a --filter "name=openclaw-sandbox" Before applying a configuration change, stop and remove the relevant container docker stop openclaw-sandbox-<id> docker rm openclaw-sandbox-<id> Then apply your configuration change and restart the OpenClaw service openclaw config set --file new_config.yaml systemctl --user restart openclaw
3. Audit configurations for order-sensitive arrays:
Check your OpenClaw configuration for arrays where order might matter grep -E "dns:|binds:|(array)" ~/.openclaw/config.yaml
Impact
Successful exploitation of this configuration integrity issue leads to the reuse of stale sandbox containers with an outdated or incorrectly ordered configuration. For example, if the order of `binds` in a Docker configuration is changed to prioritize a read-write volume mount over a read-only one, the sandbox might operate with unintended write access to sensitive directories . This can result in inconsistent behavior of the AI agent, unexpected file system permissions, or incorrect network settings (e.g., DNS resolution order). While it does not directly lead to remote code execution, it weakens the security posture of the sandboxed environment and can be a stepping stone for further attacks by creating a mismatch between the expected and actual runtime context .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

