OpenClaw
CVE-2026-41296
HIGH
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files.
AnalysisAI
Remote filesystem bridge in OpenClaw (<2026.3.31) enables sandbox escape through a TOCTOU race condition in readFile validation. Authenticated remote attackers can exploit the timing gap between path validation and file read operations to bypass sandbox restrictions and access arbitrary files outside the intended security boundary, potentially compromising both confidentiality and integrity of the underlying system. EPSS score of 0.03% (7th percentile) suggests low probability of widespread exploitation despite CVSS 8.8 severity, though patch availability from vendor (commit 121870a) enables defenders to remediate proactively before active exploitation begins.
Technical ContextAI
This vulnerability stems from CWE-367 (Time-of-Check-Time-of-Use race condition) in OpenClaw's remote filesystem bridge component. The readFile function performs path validation as a separate step from the actual file read operation, creating a race window where an attacker can substitute a validated safe path with a malicious one between the check and use phases. This classic TOCTOU flaw undermines the sandbox security model by allowing symbolic link attacks, path traversal, or file replacement techniques to bypass intended filesystem isolation. The CVSS 4.0 vector indicates network attack vector with high attack complexity (AV:N/AC:H), requiring low privileges (PR:L) but no user interaction (UI:N), with high impact to both vulnerable and subsequent system confidentiality and integrity (VC:H/VI:H/SC:H/SI:H). The remote filesystem bridge likely supports distributed file operations or remote debugging capabilities, making the sandbox boundary a critical security control.
RemediationAI
Upgrade OpenClaw to version 2026.3.31 or later, which contains the fix for the TOCTOU race condition per vendor advisory GHSA-9p3r-hh9g-5cmg and commit 121870a08583033ed6a0ed73d9ffea32991252bb on GitHub. The patch likely implements atomic file operations or file descriptor-based access to eliminate the race window between validation and read operations. If immediate upgrade is not feasible, disable the remote filesystem bridge component entirely if not required for operations - this eliminates the attack surface but will break any workflows dependent on remote file access capabilities, requiring alternative file transfer mechanisms. For deployments requiring the bridge, restrict network access to the remote filesystem service to trusted IP ranges only and enforce principle of least privilege for accounts with bridge access (PR:L requirement). Implement file integrity monitoring on sensitive directories to detect successful sandbox escapes post-exploitation, though this provides detection rather than prevention. Review application logs for anomalous readFile patterns showing rapid repeated requests to the same paths, which may indicate race condition exploitation attempts. Note that authentication-based mitigations provide limited value since the vulnerability is exploitable by authenticated users (PR:L).
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9p3r-hh9g-5cmg