CVE-2026-43529
OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator
CVSS Score
2.5
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check.
| CWE | CWE-367 |
| Vendor | openclaw |
| Product | openclaw |
| Published | May 5, 2026 |
| Last Updated | May 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new low vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
OpenClaw / OpenClaw
0 < 2026.4.10
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j github.com: https://github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-toctou-race-condition-in-exec-script-preflight-validator
Credits
๐ kikayli