OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vuln…

OpenClaw versions prior to 2026.2.15 contain a critical vulnerability where SHA-1 hashing is used for sandbox identifier cache keys in Docker and browser sandbox configurations. SHA-1 is deprecated and vulnerable to collision attacks. Attackers can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another. This enables unsafe sandbox state reuse, potentially compromising sandbox security boundaries. The vulnerability affects both Docker and browser sandbox configurations within the OpenClaw platform.