OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check.

The impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window.

Still, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis.

The vulnerable flow performed separate path validation and file reads in validateScriptFileForShellBleed. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read.

PR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared readFileWithinRoot helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows.

The fix first shipped in v2026.4.10. Users should upgrade to openclaw 2026.4.10 or newer; the latest npm release already includes the fix.

Thanks to @kikayli for reporting this issue.