OpenClaw (npm), Config Integrity Issue, CVE-2026-XXXXX (Medium)

Listen to this Post

The vulnerability resides in the `normalizeForHash` function within src/agents/sandbox/config-hash.ts. This function was designed to create a deterministic hash from a sandbox configuration object to decide if a running container needs to be recreated. To achieve determinism, it recursively sorted the keys of objects. However, it also recursively sorted the elements of any arrays it encountered, provided those arrays contained only primitive values (like strings or numbers). This array-sorting behavior introduced a critical flaw: order-sensitive configuration changes were ignored. In OpenClaw, the sandbox configuration includes Docker options such as `dns` servers and `binds` for volume mounts, which are arrays where the order can be significant for correct operation. Because the function sorted these arrays before hashing, a configuration change that only reordered the `dns` or `binds` list produced the exact same hash as the previous configuration. Consequently, the system incorrectly determined that no changes had been made and reused the existing, stale sandbox container instead of recreating it with the new configuration order. This results in a configuration integrity issue, potentially leading to an inconsistent or unintended environment for the AI agent .
Platform: OpenClaw (npm)
Version: <=2026.2.14
Vulnerability : Config Integrity
Severity: Medium
date: 2026-02-18

Prediction: Patched 2026-02-15

What Undercode Say:

Analytics

This vulnerability can be analyzed by inspecting the hash function’s behavior and comparing it to the container orchestration logic.

1. Inspect the vulnerable function (conceptually):

This is a conceptual representation of the vulnerable logic.
The actual code is in src/agents/sandbox/config-hash.ts
echo "
function normalizeForHash(obj) {
if (Array.isArray(obj) && obj.every(v => typeof v !== 'object')) {
// Vulnerable: sorts arrays of primitives
return [...obj].sort();
}
// ... rest of the function
}"

2. Simulate the vulnerable hashing logic:

Simulate two configs with different array orders
node -e "
const crypto = require('crypto');
const config1 = { dns: ['8.8.8.8', '1.1.1.1'], binds: ['/data:/data', '/tmp:/tmp'] };
const config2 = { dns: ['1.1.1.1', '8.8.8.8'], binds: ['/tmp:/tmp', '/data:/data'] };
const hash1 = crypto.createHash('sha256').update(JSON.stringify(config1)).digest('hex');
const hash2 = crypto.createHash('sha256').update(JSON.stringify(config2)).digest('hex');
console.log('Without vulnerable sort, hashes are different:');
console.log('Hash1:', hash1);
console.log('Hash2:', hash2);
console.log('Hashes equal?', hash1 === hash2);
// Simulate the vulnerable normalizeForHash by sorting arrays
function vulnerableNormalize(obj) {
if (Array.isArray(obj) && obj.every(v => typeof v !== 'object')) {
return [...obj].sort(); // The flaw
}
if (obj && typeof obj === 'object') {
const newObj = {};
Object.keys(obj).sort().forEach(key => {
newObj[bash] = vulnerableNormalize(obj[bash]);
});
return newObj;
}
return obj;
}
const normConfig1 = vulnerableNormalize(config1);
const normConfig2 = vulnerableNormalize(config2);
const vulnHash1 = crypto.createHash('sha256').update(JSON.stringify(normConfig1)).digest('hex');
const vulnHash2 = crypto.createHash('sha256').update(JSON.stringify(normConfig2)).digest('hex');
console.log('\nWith vulnerable sort, hashes become identical:');
console.log('Vuln Hash1:', vulnHash1);
console.log('Vuln Hash2:', vulnHash2);
console.log('Vulnerable hashes equal?', vulnHash1 === vulnHash2);
"

3. Check current version and logs for stale container reuse:

Check OpenClaw version
openclaw --version
Inspect OpenClaw daemon logs for evidence of container reuse decisions
Look for messages about "reusing existing container" despite config changes
journalctl -u openclaw --since "2026-02-01" | grep -i "reuse.container"
Or check specific sandbox logs
cat ~/.openclaw/logs/sandbox.log | grep -E "config hash|recreating container|reusing container"

4. Verify the fix is applied:

Check if the installed version contains the fix commit
npm list openclaw
After upgrading, you can verify the patch by checking the commit history
Go to your local OpenClaw node_modules directory and check the log
cd node_modules/openclaw
git log --oneline | grep 41ded303b4f6dae5afa854531ff837c3276ad60b

Exploit

While not directly exploitable for code execution, an attacker who can influence the order of array-based configuration parameters (e.g., via a configuration management system or a malicious configuration file) can cause a sandbox to run with a different configuration than intended by the operator, leading to inconsistent or insecure behavior.

Example of a configuration change that would be ignored
Original config in openclaw.yaml
sandbox:
docker:
dns:
- 8.8.8.8
- 1.1.1.1
binds:
- /safe-data:/data:ro
- /unsafe-data:/data:rw
Malicious reordering (or reordering through a compromised process)
The hash remains the same, so the container is not recreated
The running container will still use the original order
sandbox:
docker:
dns:
- 1.1.1.1 Order swapped
- 8.8.8.8
binds:
- /unsafe-data:/data:rw Now the read-write bind is processed first
- /safe-data:/data:ro
Command to apply a new config that should trigger a recreation
openclaw config set --file malicious_config.yaml
If vulnerable, the logs will show that the container was reused
instead of being recreated with the new order
grep "reusing container" ~/.openclaw/logs/sandbox.log

Protection from this CVE

The primary protection is to upgrade to the patched version where array ordering is preserved during hash normalization.

1. Upgrade to the patched version:

Upgrade OpenClaw globally via npm to version 2026.2.15 or later
npm install -g openclaw@latest
Verify the upgrade
npm list -g openclaw --depth=0

2. If an immediate upgrade is not possible, apply a temporary workaround:

Force a container recreation by manually stopping and removing sandbox containers
when you make order-sensitive changes. This ensures a fresh container is created.
List OpenClaw sandbox containers
docker ps -a --filter "name=openclaw-sandbox"
Before applying a configuration change, stop and remove the relevant container
docker stop openclaw-sandbox-<id>
docker rm openclaw-sandbox-<id>
Then apply your configuration change and restart the OpenClaw service
openclaw config set --file new_config.yaml
systemctl --user restart openclaw

3. Audit configurations for order-sensitive arrays:

Check your OpenClaw configuration for arrays where order might matter
grep -E "dns:|binds:|(array)" ~/.openclaw/config.yaml

Impact

Successful exploitation of this configuration integrity issue leads to the reuse of stale sandbox containers with an outdated or incorrectly ordered configuration. For example, if the order of `binds` in a Docker configuration is changed to prioritize a read-write volume mount over a read-only one, the sandbox might operate with unintended write access to sensitive directories . This can result in inconsistent behavior of the AI agent, unexpected file system permissions, or incorrect network settings (e.g., DNS resolution order). While it does not directly lead to remote code execution, it weakens the security posture of the sandboxed environment and can be a stepping stone for further attacks by creating a mismatch between the expected and actual runtime context .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top