Listen to this Post
The vulnerability is a time-of-check/time-of-use (TOCTOU) race condition in OpenShell’s filesystem bridge for sandboxed writes. When a write operation (e.g., fs.writeFile) targets a path inside the sandbox mount root, the sandbox first validates the path’s canonical location. However, an attacker with control over a symlink inside the sandbox can exploit a narrow race window. Between the check (resolving the symlink to its canonical target) and the use (actually opening the file for writing), the attacker swaps the symlink to point outside the mount root – for example, to `/etc/passwd` or a system binary. Because the write helpers initially trusted the resolved path without re‑validating it after the race, the write would proceed to the attacker‑chosen external location. The flaw effectively breaks the sandbox isolation, allowing arbitrary file writes on the host. The issue affects all versions of `openclaw` npm package up to and including 2026.4.21. The fix (2026.4.22) introduces canonical target validation against the mount root, rejects unsafe symlink parents and leaf symlinks, and uses root‑scoped write helpers that re‑validate before syncing to the remote sandbox.
dailycve form (3 words max per line):
Platform: npm openclaw
Version: <=2026.4.21
Vulnerability: TOCTOU symlink swap
Severity: critical
date: 2026-04-21
Prediction: 2026-04-23
What Undercode Say:
Analytics: Attack complexity medium. Exploitation requires local sandbox access. Patch backported.
Check openclaw version npm list openclaw Verify fix presence in 2026.4.22 npm view [email protected] --json | grep -A5 "fix" Simulate race condition (proof-of-concept) ln -s sandbox/target target_link while true; do ln -sf /etc/passwd target_link; done & while true; do echo "write" > sandbox/target_link/file; done
Exploit:
Attacker creates a symlink inside sandbox pointing to allowed mount root. In race window, swaps symlink to absolute host path (e.g., /root/.ssh/authorized_keys). Sandbox write follows swapped link, overwriting host file.
Protection from this CVE:
Upgrade `openclaw` to >=2026.4.22. Use npm update openclaw. Implement kernel‑level `openat2` with `RESOLVE_BENEATH` if available. Monitor for unexpected symlink modifications inside sandboxes.
Impact:
Complete sandbox escape. Remote code execution via overwriting host scripts or SSH keys. Privilege escalation to host user. Data integrity loss on target system.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
