Skip to main content

OpenClaw CVE-2026-41296

HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-21 disclosure@vulncheck.com GHSA-9p3r-hh9g-5cmg
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Patch released
Apr 21, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 21, 2026 - 00:38 vuln.today
Analysis Generated
Apr 21, 2026 - 00:22 vuln.today
CVE Published
Apr 21, 2026 - 00:16 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.31.

DescriptionCVE.org

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files.

AnalysisAI

Remote filesystem bridge in OpenClaw (<2026.3.31) enables sandbox escape through a TOCTOU race condition in readFile validation. Authenticated remote attackers can exploit the timing gap between path validation and file read operations to bypass sandbox restrictions and access arbitrary files outside the intended security boundary, potentially compromising both confidentiality and integrity of the underlying system. EPSS score of 0.03% (7th percentile) suggests low probability of widespread exploitation despite CVSS 8.8 severity, though patch availability from vendor (commit 121870a) enables defenders to remediate proactively before active exploitation begins.

Technical ContextAI

This vulnerability stems from CWE-367 (Time-of-Check-Time-of-Use race condition) in OpenClaw's remote filesystem bridge component. The readFile function performs path validation as a separate step from the actual file read operation, creating a race window where an attacker can substitute a validated safe path with a malicious one between the check and use phases. This classic TOCTOU flaw undermines the sandbox security model by allowing symbolic link attacks, path traversal, or file replacement techniques to bypass intended filesystem isolation. The CVSS 4.0 vector indicates network attack vector with high attack complexity (AV:N/AC:H), requiring low privileges (PR:L) but no user interaction (UI:N), with high impact to both vulnerable and subsequent system confidentiality and integrity (VC:H/VI:H/SC:H/SI:H). The remote filesystem bridge likely supports distributed file operations or remote debugging capabilities, making the sandbox boundary a critical security control.

RemediationAI

Upgrade OpenClaw to version 2026.3.31 or later, which contains the fix for the TOCTOU race condition per vendor advisory GHSA-9p3r-hh9g-5cmg and commit 121870a08583033ed6a0ed73d9ffea32991252bb on GitHub. The patch likely implements atomic file operations or file descriptor-based access to eliminate the race window between validation and read operations. If immediate upgrade is not feasible, disable the remote filesystem bridge component entirely if not required for operations - this eliminates the attack surface but will break any workflows dependent on remote file access capabilities, requiring alternative file transfer mechanisms. For deployments requiring the bridge, restrict network access to the remote filesystem service to trusted IP ranges only and enforce principle of least privilege for accounts with bridge access (PR:L requirement). Implement file integrity monitoring on sensitive directories to detect successful sandbox escapes post-exploitation, though this provides detection rather than prevention. Review application logs for anomalous readFile patterns showing rapid repeated requests to the same paths, which may indicate race condition exploitation attempts. Note that authentication-based mitigations provide limited value since the vulnerability is exploitable by authenticated users (PR:L).

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-41296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy