OpenClaw (npm), Time-of-Check Time-of-Use (TOCTOU) Race Condition, CVE-2026-XXXX (Moderate)

Listen to this Post

The vulnerability exists in OpenClaw’s `exec` script preflight validator. The vulnerable code path performed two distinct operations on a file path: first, it validated the path to ensure it remained within the workspace boundary; second, it read the file at that path for preflight analysis. Because the path was mutable between these two operations, a local attacker with write access to the workspace could exploit a Time-of-Check Time-of-Use (TOCTOU) race condition. The attack works by swapping the target file after validation but before the read. Specifically, the attacker can initially point the path to a benign file that passes validation. During the race window, the attacker replaces the file (e.g., by renaming, moving, or changing a symbolic link) to a malicious file outside the intended workspace. When the preflight validator reads the file, it operates on the malicious file, believing it to be the validated one. This allows the attacker to bypass workspace boundary checks and cause the preflight analysis to inspect an unintended file. The validator only surfaces derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line, limiting the impact. However, this is a real TOCTOU boundary bug in code designed to reason about workspace-local script files before execution. The fix, implemented in PR 62333, replaces the check-then-read flow with an atomic pinned file descriptor (fd) open using the shared `readFileWithinRoot` helper. This ensures that the file identity is verified at the time of opening and reused for the read, eliminating the race window. Regression tests cover both pre-open and post-open swap windows. The fix first shipped in version 2026.4.10. Users should upgrade to version 2026.4.10 or newer to mitigate the vulnerability.

dailycve form:

Platform: OpenClaw (npm)
Version: <= 2026.4.9
Vulnerability: TOCTOU race
Severity: Moderate
date: Apr 10 2026

Prediction: Apr 10 2026

What Undercode Say:

Analytics:

  • Package: `openclaw` on npm
  • Affected Range: Versions up to and including `2026.4.9`
    – Fix Version: 2026.4.10, released on April 10, 2026
  • Fix Commit: `b024fae9e5df43e9b69b2daebb72be3469d52e91`
    – Vulnerability Type: Time-of-Check Time-of-Use (TOCTOU) / Race Condition
  • Attack Vector: Local, requiring ability to mutate the workspace path during the preflight window
  • Root Cause: Separate path validation and file read operations on a mutable path

Bash Commands and Codes:

You can simulate the vulnerable condition by attempting to swap a file during the race window. This is a simplified demonstration of the race concept. Create a test environment (DO NOT RUN ON PRODUCTION SYSTEMS):

mkdir -p /tmp/openclaw_test/{valid,malicious}
echo "safe" > /tmp/openclaw_test/valid/safe.txt
echo "malicious" > /tmp/openclaw_test/malicious/malicious.txt
ln -s /tmp/openclaw_test/valid/safe.txt /tmp/openclaw_test/link

In a real attack, a process would change this link during the race window. For testing, you can manually change the link after validation but before the read:

rm /tmp/openclaw_test/link && ln -s /tmp/openclaw_test/malicious/malicious.txt /tmp/openclaw_test/link

The vulnerable code would validate `/tmp/openclaw_test/link` (points to valid/safe.txt) but later read /tmp/openclaw_test/link. If the link changed to malicious/malicious.txt, the read would occur on the malicious file, bypassing the validation.

How Exploit:

  1. The attacker identifies a mutable path that is used by the `exec` script preflight validator.
  2. The attacker creates a benign file that passes workspace boundary validation.
  3. The attacker points the mutable path to the benign file.
  4. The validator checks the path and determines it is safe.
  5. During the race window (between validation and read), the attacker changes the path to point to a malicious file outside the workspace.
  6. The validator reads the malicious file, believing it to be the validated one.
  7. The preflight analysis operates on the malicious file, potentially leaking sensitive information or executing unintended code.

Protection from this CVE:

  • Upgrade to OpenClaw version 2026.4.10 or later.
  • Apply the fix commit `b024fae9e5df43e9b69b2daebb72be3469d52e91` if using an older version.
  • Use the `readFileWithinRoot` helper for any file read operations to ensure atomic boundary verification.
  • Avoid performing separate check-then-read operations on mutable paths.
  • Implement file descriptor pinning to prevent race conditions.

Impact:

The impact is limited. The vulnerability does not allow arbitrary full-file disclosure through the preflight error path. The validator only surfaces derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line. Exploitation requires the ability to mutate the relevant workspace path during the preflight window. However, it is a real TOCTOU boundary bug that could allow an attacker to bypass workspace boundary checks and inspect unintended files. The fix eliminates the race condition by using atomic pinned-fd open operations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top