Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-96ju-h5y3-xuf5
Vulnerability ID VCID-96ju-h5y3-xuf5
Aliases CVE-2026-27007
GHSA-xxvh-5hwj-42pp
Summary OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker `dns` and `binds` array order) could be treated as unchanged and stale containers could be reused. This is a configuration integrity issue affecting sandbox recreation behavior.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1254 Incorrect Comparison Logic Granularity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 6e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-27007
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-xxvh-5hwj-42pp
cvssv4 4.8 https://github.com/openclaw/openclaw
generic_textual MODERATE https://github.com/openclaw/openclaw
cvssv4 4.8 https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b
generic_textual MODERATE https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b
ssvc Track https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b
cvssv4 4.8 https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
generic_textual MODERATE https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
ssvc Track https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
cvssv3.1_qr MODERATE https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp
cvssv4 4.8 https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp
generic_textual MODERATE https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp
ssvc Track https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp
cvssv4 4.8 https://nvd.nist.gov/vuln/detail/CVE-2026-27007
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-27007
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-27007
https://github.com/openclaw/openclaw
https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b
https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
CVE-2026-27007 https://nvd.nist.gov/vuln/detail/CVE-2026-27007
GHSA-xxvh-5hwj-42pp https://github.com/advisories/GHSA-xxvh-5hwj-42pp
GHSA-xxvh-5hwj-42pp https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp
No exploits are available.
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:52Z/ Found at https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:52Z/ Found at https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:26:52Z/ Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27007
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.00361
EPSS Score 6e-05
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:06:40.629281+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openclaw/CVE-2026-27007.yml 38.6.0