CVE-2026-43529

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.10

Description A time-of-check-time-of-use (TOCTOU) issue exists in the validateScriptFileForShellBleed() function. A TOCTOU issue is a software bug where a system checks a condition (such as a security credential) and then uses the result of that check to perform an action, but the condition changes between the check and the use. This allows local attackers with workspace write access to bypass workspace boundary checks by using a race condition to swap the target file between the validation and preflight read phases. This causes the validator to inspect a different file identity than the one that initially passed the boundary check.

Recommendations Update to version 2026.4.10 or newer.