CVE-2026-44113 Overview
CVE-2026-44113 is a time-of-check/time-of-use (TOCTOU) race condition in the OpenClaw OpenShell filesystem bridge. The flaw affects all OpenClaw versions prior to 2026.4.22. Attackers with low privileges can swap symbolic links between the path validation step and the file access step. This allows reads of files outside the intended mount root and bypasses the sandbox boundary enforced by the filesystem bridge.
The weakness is tracked under CWE-367: Time-of-check Time-of-use Race Condition. The vulnerability impacts confidentiality only, with no direct impact on integrity or availability of the host system.
Critical Impact
Successful exploitation enables unauthorized disclosure of file contents outside the sandboxed mount, defeating filesystem isolation guarantees in OpenClaw deployments.
Affected Products
- OpenClaw versions prior to 2026.4.22
- OpenShell filesystem bridge component within OpenClaw
- Deployments relying on OpenShell mount-root sandboxing for tenant or user isolation
Discovery Timeline
- 2026-05-06 - CVE-2026-44113 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-44113
Vulnerability Analysis
The OpenShell filesystem bridge mediates file operations between the OpenClaw runtime and the underlying host filesystem. It validates that requested paths resolve within a configured mount root before performing read operations. The validation and the subsequent open or read call are not atomic, creating a TOCTOU window.
An attacker controlling a path that the bridge will operate on can replace a benign component with a symbolic link after the path check succeeds. When the bridge proceeds to access the file, it follows the swapped symlink and reads content from a location outside the mount root. This results in unauthorized disclosure of file data the bridge would otherwise refuse to serve.
The attack requires low privileges and an authenticated context, but no user interaction. Attack complexity is high because the attacker must reliably win the race between the check and the use.
Root Cause
The root cause is non-atomic path resolution in the OpenShell filesystem bridge. The code validates a path string and then re-resolves the same path during the file operation, rather than operating on a stable file descriptor obtained at validation time. Attackers exploit the gap by mutating the filesystem namespace, typically through symlink swaps in attacker-writable directories.
Attack Vector
Exploitation proceeds in three steps. First, the attacker submits a filesystem operation through OpenShell targeting a path under the permitted mount. Second, during the validation-to-access window, the attacker replaces a directory or file component with a symbolic link pointing outside the mount root. Third, the bridge follows the symlink and returns the target file contents to the caller. The fix is included in commit 95119017c847c737bd113f0bff728c4666d79c45 and is documented in the GitHub Security Advisory GHSA-5h3g-6xhh-rg6p.
No public exploit code or in-the-wild exploitation has been reported. Technical details are described in the VulnCheck Advisory.
Detection Methods for CVE-2026-44113
Indicators of Compromise
- OpenShell access logs showing repeated, rapid file operations against the same path within microsecond intervals, consistent with race-window probing.
- Symbolic links appearing transiently inside attacker-writable directories under the OpenShell mount root.
- Audit records of OpenShell read operations returning file paths or content that resolve outside the configured mount root.
Detection Strategies
- Enable filesystem auditing (Linux auditd rules on symlink, symlinkat, and openat) for paths inside OpenShell mount roots and correlate creations with subsequent OpenShell reads.
- Inspect OpenClaw application logs for OpenShell bridge errors or anomalous realpath mismatches between validation and access events.
- Compare file content returned by OpenShell against the expected mount-root inode set; mismatches indicate symlink redirection.
Monitoring Recommendations
- Forward OpenClaw and host audit logs to a centralized logging or SIEM platform and alert on bursts of symlink syscalls preceding OpenShell read operations.
- Track process behavior of the OpenClaw runtime for unexpected file descriptor opens outside declared mount roots.
- Baseline normal OpenShell read latency and flag operations whose timing patterns suggest race-condition exploitation attempts.
How to Mitigate CVE-2026-44113
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.22 or later, which contains the fix from commit 95119017c847c737bd113f0bff728c4666d79c45.
- Inventory all OpenClaw deployments and identify any instance still running pre-2026.4.22 builds, including container images and bundled distributions.
- Restrict which authenticated users can submit OpenShell filesystem operations until patching is complete.
Patch Information
The vendor fix is published in the upstream commit 95119017c847c737bd113f0bff728c4666d79c45 and described in the OpenClaw Security Advisory GHSA-5h3g-6xhh-rg6p. Operators should rebuild any container images or downstream packages that vendor OpenClaw and redeploy after upgrading.
Workarounds
- Mount the OpenShell filesystem root with nosymfollow where supported, preventing the bridge from traversing symbolic links during file operations.
- Restrict the OpenShell mount root to directories that are not writable by untrusted users, eliminating the attacker's ability to plant swap symlinks.
- Run OpenClaw under a mandatory access control policy (SELinux or AppArmor) that confines the runtime to specific inode trees regardless of path resolution.
# Configuration example: remount OpenShell root without symlink traversal
mount -o remount,nosymfollow /var/lib/openclaw/openshell-root
# Verify installed OpenClaw version is patched
openclaw --version | grep -E '2026\.(4\.(2[2-9]|[3-9][0-9])|[5-9]\.|1[0-9]\.)'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
