CVE-2026-44112 Overview
CVE-2026-44112 is a time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions prior to 2026.4.22. The flaw resides in the OpenShell sandbox filesystem bridge, where writes are not pinned to the sandbox root. Attackers with low privileges can swap a path component for a symbolic link between the sandbox path validation and the actual write operation. This redirects file writes outside the intended local mount root, breaking sandbox containment. The weakness is classified under [CWE-367] and affects integrity of host files reachable by the sandbox process.
Critical Impact
Successful exploitation lets an authenticated attacker write arbitrary files outside the OpenShell sandbox mount root, undermining isolation guarantees.
Affected Products
- OpenClaw versions prior to 2026.4.22
- OpenClaw OpenShell extension (extensions/openshell/src/fs-bridge.ts)
- Plugins relying on openclaw/plugin-sdk/sandbox for filesystem writes
Discovery Timeline
- 2026-05-06 - CVE-2026-44112 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-44112
Vulnerability Analysis
The OpenShell filesystem bridge resolves a sandbox path, validates it falls within the configured mount root, and then performs the write. Between the resolution and the write, the path is not held under a stable, root-anchored handle. An attacker who controls a writable directory inside the sandbox can replace an intermediate path component with a symbolic link pointing outside the mount root. The subsequent write follows the symlink and lands on the host filesystem. The defect impacts integrity only; confidentiality and availability are not directly affected by this primitive.
Root Cause
The root cause is a classic TOCTOU pattern in fs-bridge.ts. Path validation (SandboxResolvedPath, createWritableRenameTargetResolver) and the write syscall operate on independent name lookups instead of a single resolved file descriptor anchored to the sandbox root. Because filesystem operations are not atomic with respect to symlink replacement, the validated path and the written path can diverge.
Attack Vector
Exploitation requires an authenticated low-privileged actor able to drive OpenShell filesystem operations and to race a symlink swap on a path component. The attacker creates a benign target inside the sandbox, triggers a write or rename through the bridge, and concurrently replaces a directory component with a symlink to an absolute host path. When the bridge proceeds with the write, the operation escapes the mount root.
// Patch excerpt: extensions/openshell/src/fs-bridge.ts
SandboxResolvedPath,
} from "openclaw/plugin-sdk/sandbox";
import { createWritableRenameTargetResolver } from "openclaw/plugin-sdk/sandbox";
+import { writeFileWithinRoot } from "openclaw/plugin-sdk/infra-runtime";
import type { OpenShellFsBridgeContext, OpenShellSandboxBackend } from "./backend.types.js";
import { movePathWithCopyFallback } from "./mirror.js";
Source: GitHub commit 7be82d4. The fix introduces writeFileWithinRoot, which pins host writes to the sandbox root using a root-anchored resolver rather than re-walking the path after validation.
Detection Methods for CVE-2026-44112
Indicators of Compromise
- Symbolic links appearing inside OpenShell sandbox working directories that point to absolute host paths outside the mount root.
- File modifications on host paths whose parent process is the OpenShell sandbox backend or fs-bridge worker.
- Repeated rapid rename/symlink/unlink sequences on the same path during a single sandbox write transaction.
Detection Strategies
- Monitor process telemetry for OpenShell backend processes performing openat, renameat, or symlinkat calls that resolve outside the configured mount root.
- Audit OpenClaw plugin logs for filesystem bridge operations whose final write path differs from the originally resolved SandboxResolvedPath.
- Hunt for plugin extensions still importing the pre-patch resolver without writeFileWithinRoot.
Monitoring Recommendations
- Enable filesystem auditing (auditd, EDR file telemetry) on host directories adjacent to OpenShell mount roots.
- Alert on creation of symlinks by sandboxed users that target paths outside the sandbox.
- Track OpenClaw version inventory to flag hosts running releases earlier than 2026.4.22.
How to Mitigate CVE-2026-44112
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.22 or later on all hosts running the OpenShell extension.
- Restrict which users and plugins can invoke OpenShell filesystem bridge operations until patching completes.
- Review existing sandbox mount roots for unexpected symlinks and revoke write access where not required.
Patch Information
The upstream fix is delivered in commit 7be82d4fd1193bcb7e44ee38838f00bf924ffa76, which routes host writes through writeFileWithinRoot from openclaw/plugin-sdk/infra-runtime. See the OpenClaw GHSA-wppj-c6mr-83jj advisory and the VulnCheck advisory for full release details.
Workarounds
- Disable the OpenShell extension on systems where patching is not yet possible.
- Mount sandbox roots on a dedicated filesystem with nosymfollow (where supported) to neutralize symlink-based escapes.
- Run OpenClaw under a dedicated unprivileged user whose write scope is constrained by mandatory access control (AppArmor/SELinux) to the intended mount root.
# Configuration example: pin OpenClaw service to the sandbox root via systemd
[Service]
User=openclaw
ReadWritePaths=/var/lib/openclaw/sandbox
ProtectSystem=strict
ProtectHome=yes
NoNewPrivileges=yes
# Block symlink traversal outside the sandbox tree
RestrictFileSystems=~symlink
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
