{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-10T07:30:26.981","vulnerabilities":[{"cve":{"id":"CVE-2026-27007","sourceIdentifier":"security-advisories@github.com","published":"2026-02-20T00:16:17.303","lastModified":"2026-02-20T18:04:01.157","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker `dns` and `binds` array order) could be treated as unchanged and stale containers could be reused. This is a configuration integrity issue affecting sandbox recreation behavior. Starting in version 2026.2.15, array ordering is preserved during hash normalization; only object key ordering remains normalized for deterministic hashing."},{"lang":"es","value":"OpenClaw es un asistente personal de IA. Antes de la versión 2026.2.15, 'normalizeForHash' en 'src/agents/sandbox/config-hash.ts' ordenaba recursivamente los arrays que contenían solo valores primitivos. Esto hacía que los arrays de configuración de la sandbox sensibles al orden se hashificaran al mismo valor incluso cuando el orden cambiaba. En los flujos de la sandbox de OpenClaw, este hash se utiliza para decidir si los contenedores de la sandbox existentes deben recrearse. Como resultado, los cambios de configuración solo de orden (por ejemplo, el orden de los arrays 'dns' y 'binds' de Docker) podían tratarse como sin cambios y los contenedores obsoletos podían reutilizarse. Esto es un problema de integridad de la configuración que afecta el comportamiento de recreación de la sandbox. A partir de la versión 2026.2.15, el orden de los arrays se conserva durante la normalización del hash; solo el orden de las claves de los objetos permanece normalizado para un hashing determinista."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1254"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2026.2.15","matchCriteriaId":"3CD9AC99-DDDF-4177-9253-04A63CA027DC"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp","source":"security-advisories@github.com","tags":["Vendor Advisory","Patch"]}]}}]}