CVE-2026-43529 Overview
CVE-2026-43529 is a time-of-check-time-of-use (TOCTOU) race condition [CWE-367] in OpenClaw versions before 2026.4.10. The flaw resides in the validateScriptFileForShellBleed function, which performs workspace boundary checks separately from the preflight read. A local attacker with workspace write access can swap the target file between validation and read, causing the validator to inspect a different file than the one ultimately consumed.
Critical Impact
Local attackers with workspace write access can bypass workspace boundary checks by race-condition swapping target files between validation and preflight read operations.
Affected Products
- OpenClaw versions prior to 2026.4.10
- OpenClaw running on Node.js runtimes
- OpenClaw bash-tools.exec agent components
Discovery Timeline
- 2026-05-05 - CVE-2026-43529 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43529
Vulnerability Analysis
The vulnerability stems from a non-atomic file handling pattern in OpenClaw's script preflight validator. The validateScriptFileForShellBleed function performs two sequential operations: a workspace boundary check on a file path, and a subsequent read of that file's contents. Between these operations, the file path identity can change because the validator does not pin the underlying file descriptor.
A local attacker with write access to the workspace can exploit this gap. The attacker substitutes the file referenced by the validated path with a different file or symbolic link target after the boundary check passes but before the read completes. The validator then inspects content that differs from what initially passed inspection, undermining the boundary enforcement guarantee.
This is classified as a TOCTOU race condition under [CWE-367]. The exploitation requires precise timing and local privileges, but the attack window is reachable through standard filesystem operations.
Root Cause
The root cause is the separation of path validation from file open. The original implementation validated a path string and then re-opened the file by path, allowing an attacker to swap the underlying inode between the two operations. The fix introduces atomic pinned file descriptor opens with O_NOFOLLOW and O_NONBLOCK flags so that validation and read operate on the same file identity.
Attack Vector
Exploitation requires local access with write permissions to the OpenClaw workspace directory. The attacker creates a benign file that passes the boundary check, then races to replace it with a symlink or different file before the preflight read executes. Successful timing causes the validator to authorize content it never actually inspected.
// Patch: src/infra/fs-safe.ts
// fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open
const SUPPORTS_NOFOLLOW = process.platform !== "win32" && "O_NOFOLLOW" in fsConstants;
+const NONBLOCK_OPEN_FLAG = "O_NONBLOCK" in fsConstants ? fsConstants.O_NONBLOCK : 0;
const OPEN_READ_FLAGS = fsConstants.O_RDONLY | (SUPPORTS_NOFOLLOW ? fsConstants.O_NOFOLLOW : 0);
+const OPEN_READ_NONBLOCK_FLAGS = OPEN_READ_FLAGS | NONBLOCK_OPEN_FLAG;
+const OPEN_READ_FOLLOW_FLAGS = fsConstants.O_RDONLY;
+const OPEN_READ_FOLLOW_NONBLOCK_FLAGS = OPEN_READ_FOLLOW_FLAGS | NONBLOCK_OPEN_FLAG;
Source: GitHub Commit b024fae
Detection Methods for CVE-2026-43529
Indicators of Compromise
- Rapid file replacement or symlink creation events targeting paths inside OpenClaw workspaces
- Unexpected rename(2) or symlink(2) syscalls occurring concurrently with validateScriptFileForShellBleed execution
- Script execution logs showing successful validation followed by content mismatches with on-disk files
- Workspace files whose inode numbers change between consecutive OpenClaw operations
Detection Strategies
- Monitor filesystem audit logs for write or rename operations on workspace files during script preflight windows
- Correlate OpenClaw application logs with Linux audit framework events for path-to-inode anomalies
- Apply behavioral rules that flag a process performing both validation and replacement of the same path within microsecond ranges
Monitoring Recommendations
- Enable auditd rules on OpenClaw workspace directories to capture open, rename, and symlink syscalls
- Track OpenClaw version strings across deployments to identify hosts still running pre-2026.4.10 builds
- Review process accounting for local accounts that have workspace write access and have invoked OpenClaw script execution paths
How to Mitigate CVE-2026-43529
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which includes the atomic pinned file descriptor fix
- Audit workspace directory permissions and remove write access for accounts that do not require it
- Inventory all OpenClaw deployments and confirm patch status before resuming script execution workflows
Patch Information
The fix is committed in b024fae9e5df43e9b69b2daebb72be3469d52e91 and published in the GitHub Security Advisory GHSA-gj9q-8w99-mp8j. The patch replaces the check-then-read pattern with an atomic pinned file descriptor open using O_NOFOLLOW and O_NONBLOCK flags in src/infra/fs-safe.ts and src/agents/bash-tools.exec.ts. Additional technical context is available in the VulnCheck Advisory on TOCTOU.
Workarounds
- Restrict workspace write access to trusted local users only, eliminating the attacker's ability to swap files
- Mount workspace directories with noexec and nosymfollow options where supported to limit symlink-based races
- Disable script execution features in OpenClaw until the patched version is deployed
# Configuration example: restrict workspace permissions
chmod 700 /path/to/openclaw/workspace
chown openclaw-service:openclaw-service /path/to/openclaw/workspace
# Optional: mount with hardened flags on Linux
mount -o remount,nosuid,nodev,nosymfollow /path/to/openclaw/workspace
# Verify installed version is patched
npm list openclaw | grep openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
