Listen to this Post
The vulnerability resides in the skill installation process of OpenClaw versions up to 2026.3.7. The installer validates the intended per-skill tools root directory using a lexical (string-based) path. However, this path object is mutable and is reused later in the process for the actual download and copy operations. A local attacker with the ability to influence the filesystem state (e.g., through symbolic links or bind mounts) could exploit a Time-of-Check to Time-of-Use (TOCTOU) race condition. Between the initial validation and the final file write, the attacker could rebind the tools-root path to point to a different location on the system. Because the installer reuses the now-mutated path, it would then write the skill’s archive contents outside the intended, sandboxed tools directory, potentially to a sensitive system location. The fix, implemented in commit 9abf014f3502009faf9c73df5ca2cff719e54639, resolves this by “pinning” the canonical path immediately after validation. All subsequent operations derive paths from this immutable, canonical root, rendering any post-validation rebinding ineffective and causing the operation to fail closed.
dailycve form:
Platform: OpenClaw (npm)
Version: <= 2026.3.7
Vulnerability : TOCTOU Path Traversal
Severity: Moderate
date: Mar 9 2026
Prediction: Mar 9 2026
What Undercode Say:
Analytics:
- Package: `openclaw` on npm
- Affected Range: Versions up to and including `2026.3.7`
– Fix Version:2026.3.8, released on March 9, 2026 - Fix Commit: `9abf014f3502009faf9c73df5ca2cff719e54639`
– Vulnerability Type: Time-of-Check to Time-of-Use (TOCTOU) / Path Traversal - Attack Vector: Local, requiring ability to manipulate filesystem paths during a race window.
- Root Cause: Reusing a mutable path object for file operations after it has been validated.
Bash Commands and Codes:
You can simulate the vulnerable condition by attempting to change a symbolic link during a file operation. This is a simplified demonstration of the race concept.
Create a test environment (DO NOT RUN ON PRODUCTION SYSTEMS)
mkdir -p /tmp/openclaw_test/{target,payload,link}
Create a symbolic link pointing to the intended target initially
ln -s /tmp/openclaw_test/target /tmp/openclaw_test/link
In a real attack, a process would change this link during the race window
For testing, you can manually change the link after validation but before the write
Example: rm /tmp/openclaw_test/link && ln -s /etc /tmp/openclaw_test/link
The vulnerable code would validate /tmp/openclaw_test/link (points to target)
but later write to /tmp/openclaw_test/link. If the link changed to /etc,
the write would occur in /etc.
How Exploit:
- An attacker with local access identifies a skill installation process in progress on a vulnerable OpenClaw instance (<=2026.3.7).
- The attacker prepares a malicious bind mount or symbolic link that can be flipped to point from the intended safe directory (e.g.,
/var/openclaw/tools/) to a sensitive system directory (e.g.,/etc/systemd/system/). - As the OpenClaw installer performs its lexical validation of the tools-root path, it sees the safe directory.
- Immediately after validation, but before the installer uses the path again to write the skill archive, the attacker triggers the rebinding of the path (e.g., by swapping the symlink target).
- The installer, reusing the now-mutated path, writes the skill’s files (which could be malicious scripts or service files) directly into the attacker-chosen sensitive directory .
Protection from this CVE:
- Immediate Update: Upgrade the `openclaw` npm package to version `2026.3.8` or later. This is the primary and most effective mitigation.
npm update openclaw@latest
- Canonical Path Resolution: Ensure that after validating a path, the application resolves and stores the canonical path (free of symlinks and
./..components). All subsequent operations must use this pinned canonical path, not the user-modifiable original string. - Principle of Least Privilege: Run the OpenClaw agent with the minimum necessary filesystem permissions. It should not have write access to system-critical directories like `/etc` or `/usr/bin` .
- Filesystem Hardening: Consider using dedicated mount namespaces or containers to isolate the OpenClaw installation environment, making it more difficult for a local attacker to influence paths outside the container.
Impact:
- Arbitrary File Write: A successful exploit allows an attacker to write files to arbitrary locations on the filesystem where the OpenClaw process has write permissions .
- Privilege Escalation: By writing malicious files to directories like
/etc/cron.d/,/etc/systemd/system/, or a user’s~/.bashrc, an attacker can achieve privilege escalation or persistent code execution. - System Compromise: Overwriting critical system binaries or configuration files can lead to a full system compromise or persistent backdoor access .
- Supply Chain Weaponization: This vulnerability turns the trusted administrative function of installing a skill into a direct vector for host compromise, amplifying the risk from malicious skills in marketplaces like ClawHub .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

