PT-2026-33863 · Openclaw+1 · Openclaw
Antaisecuritylab
·
Published
2026-04-03
·
Updated
2026-04-21
·
CVE-2026-41296
CVSS v4.0
9.4
Critical
| AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H |
Summary
Sandbox escape via TOCTOU race in remote FS bridge readFile
Current Maintainer Triage
- Normalized severity: critical
- Assessment: v2026.3.28 remote sandbox reads still do path-check then separate file read, so the TOCTOU sandbox escape remains present in the latest shipped tag.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
121870a08583033ed6a0ed73d9ffea32991252bb— 2026-03-31T09:55:51+09:00
OpenClaw thanks @AntAISecurityLab for reporting.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw