GSA_kwCzR0hTQS1ncTgzLThxN3EtOWhmeM4ABTFn

Moderate CVSS: 6.9

Permalink JSON

OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption

Affected Packages	Affected Versions	Fixed Versions
npm:openclaw PURL: `pkg:npm/openclaw`	< 2026.2.19	2026.2.19
0 Dependent packages 0 Dependent repositories 6,021,905 Downloads last month Affected Version Ranges All affected versions 0.0.1, 2026.1.29, 2026.1.29-beta.1, 2026.1.29-beta.2, 2026.1.29-beta.3, 2026.1.29-beta.4, 2026.1.29-beta.5, 2026.1.29-beta.7, 2026.1.30, 2026.2.1, 2026.2.2, 2026.2.2-1, 2026.2.2-2, 2026.2.2-3, 2026.2.3, 2026.2.3-1, 2026.2.6, 2026.2.6-1, 2026.2.6-2, 2026.2.6-3, 2026.2.9, 2026.2.12, 2026.2.13, 2026.2.14, 2026.2.15, 2026.2.17, 2026.2.19-1, 2026.2.19-2 All unaffected versions 2026.2.19, 2026.2.21, 2026.2.22, 2026.2.23, 2026.2.24, 2026.2.25, 2026.2.26, 2026.3.1, 2026.3.2, 2026.3.7, 2026.3.8, 2026.3.11

Impact

Concurrent updateRegistry/removeRegistryEntry operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions.

The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry updates could produce stale snapshots and overwrite each other.

That desyncs sandbox state and can affect sandbox list, sandbox prune, and sandbox recreate --all behavior.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.2.17
Patched versions: 2026.2.18

Fix Commit(s)

cc29be8c9

OpenClaw thanks @kexinoh for reporting.

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS1ncTgzLThxN3EtOWhmeM4ABTFn

OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption

Affected Version Ranges

All affected versions

All unaffected versions

Impact

Affected Packages / Versions

Fix Commit(s)

Identifiers

Risk

Severity

CVSS

Classification

Source

Origin

Date and time

Published

Updated

API