CVE-2026-32043 Overview
OpenClaw versions prior to 2026.2.25 contain a Time-of-Check Time-of-Use (TOCTOU) vulnerability in the approval-bound system.run execution mechanism. The vulnerability exists because the cwd parameter is validated at approval time but resolved at execution time, creating a race condition window. Attackers can exploit this by retargeting a symlinked cwd directory between the approval and execution phases, effectively bypassing command execution restrictions and gaining the ability to execute arbitrary commands on node hosts.
Critical Impact
Attackers with local access can bypass command execution restrictions through symlink manipulation, potentially executing arbitrary commands on node hosts and compromising system integrity.
Affected Products
- OpenClaw versions prior to 2026.2.25
- OpenClaw for Node.js environments
- Systems using approval-bound system.run execution with configurable cwd parameter
Discovery Timeline
- 2026-03-21 - CVE-2026-32043 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-32043
Vulnerability Analysis
This vulnerability falls under CWE-367 (Time-of-Check Time-of-Use Race Condition), a class of vulnerabilities where a resource's state is verified at one point in time but used at another, allowing the resource to change between these two operations.
In OpenClaw's approval-bound execution system, when a user requests to run a command via system.run, the cwd (current working directory) parameter undergoes validation during the approval phase. However, the actual resolution of this path occurs later during execution time. This temporal gap creates an exploitable window where an attacker can manipulate the filesystem state.
The attack scenario involves creating a symlink pointing to a benign directory during the approval check, then quickly retargeting that symlink to point to a sensitive or restricted directory before execution occurs. Since the validation has already passed, the command executes in the attacker-controlled directory context, bypassing intended restrictions.
Root Cause
The root cause is a fundamental design flaw in how directory path validation is decoupled from path resolution. The approval system validates the cwd parameter as a string or resolved path at approval time, but does not lock or atomically verify the path at execution time. This allows mutable filesystem objects like symbolic links to be changed between validation and use, violating the security assumptions of the approval mechanism.
Attack Vector
This is a local attack vector requiring an attacker to have local access to the system with permissions to create and modify symbolic links. The attacker must be able to:
- Submit a system.run request with a cwd parameter pointing to a symlink they control
- Wait for the approval to pass validation
- Quickly retarget the symlink to a restricted directory before execution
- Achieve arbitrary command execution in the context of the retargeted directory
// Security patch in src/cli/nodes-cli/register.invoke.ts
// fix(security): harden approval-bound node exec cwd handling
{
id: approvalId,
command: rawCommand ?? argv.join(" "),
+ commandArgv: argv,
cwd: opts.cwd,
nodeId,
host: "node",
Source: GitHub Commit Update
// Security patch in src/node-host/invoke-system-run.ts
// fix(security): harden approval-bound node exec cwd handling
import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
import { resolveAgentConfig } from "../agents/agent-scope.js";
import { loadConfig } from "../config/config.js";
import type { GatewayClient } from "../gateway/client.js";
Source: GitHub Commit Update
The patch introduces additional imports for fs and path modules, enabling proper filesystem verification at execution time rather than relying solely on approval-time validation.
Detection Methods for CVE-2026-32043
Indicators of Compromise
- Unusual symlink creation or modification activity in directories used by OpenClaw system.run operations
- Rapid filesystem changes (symlink retargeting) occurring between approval and execution timestamps
- Command executions originating from unexpected or restricted directories
- Audit log discrepancies showing approved cwd paths that differ from actual execution paths
Detection Strategies
- Monitor filesystem events for symlink creation and modification in OpenClaw working directories using tools like inotify or auditd
- Implement integrity monitoring on directories commonly used as cwd parameters in approval-bound operations
- Correlate approval events with execution events to identify path mismatches indicating potential exploitation attempts
- Deploy behavioral analysis to detect race condition exploitation patterns
Monitoring Recommendations
- Enable verbose logging for all system.run approval and execution events including resolved paths
- Configure file integrity monitoring (FIM) on critical directories to alert on symlink changes
- Establish baseline behavior for normal cwd usage patterns and alert on deviations
- Review OpenClaw audit logs regularly for unusual command execution patterns
How to Mitigate CVE-2026-32043
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.25 or later immediately
- Audit existing approval-bound command executions for signs of compromise
- Review filesystem permissions to restrict symlink creation in sensitive directories
- Temporarily disable or restrict system.run functionality until patching is complete
Patch Information
OpenClaw has released version 2026.2.25 which addresses this vulnerability by hardening the approval-bound node execution cwd handling. The fix ensures that directory paths are properly validated at execution time in addition to approval time, preventing symlink retargeting attacks.
For detailed information, see the GitHub Security Advisory and the security patch commit f789f880.
Workarounds
- Disable symlink resolution in OpenClaw configurations where supported
- Restrict local user permissions to prevent symlink creation in directories used by system.run
- Implement additional filesystem monitoring to detect and block rapid symlink changes
- Use immutable or read-only filesystems for critical working directories
# Configuration example - Restrict symlink creation in OpenClaw working directories
# Set restrictive permissions on cwd directories
chmod 755 /path/to/openclaw/workdir
chown root:root /path/to/openclaw/workdir
# Enable filesystem auditing for symlink operations
auditctl -w /path/to/openclaw/workdir -p wa -k openclaw_symlink_monitor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
