Reversible One-Way Hash in OpenClaw - CVE-2026-28479
Published: May 4, 2026
Vulnerability identifier: #VU129420
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-28479
CWE-ID: CWE-328
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to cause unsafe sandbox state reuse.
The vulnerability exists due to the use of a collision-prone hash algorithm in the sandbox identifier cache key generation logic when hashing normalized sandbox configuration payloads. A remote attacker can provide a crafted configuration that collides with another cache identity to cause unsafe sandbox state reuse.
The issue may also increase the risk of cache poisoning when deterministic identifiers are used to decide whether an existing sandbox container can be reused safely.
How to mitigate CVE-2026-28479
Install security update from vendor's website.