CVE-2026-32977

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.11

Description The software contains a sandbox boundary bypass issue in the fs-bridge writeFile commit step. This is due to the use of an unanchored container path during the final move operation, creating a time-of-check-time-of-use race condition. An attacker can modify parent paths within the sandbox to redirect committed files outside the validated writable path within the container mount namespace.

Recommendations Update to version 2026.3.11 or later.