AI Threat Alert AI Threat Alert

GHSA-5h3g-6xhh-rg6p

GHSA-5h3g-6xhh-rg6p MEDIUM
Published May 4, 2026

## Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.4.21 2026.4.22
4 dependents 93% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Recommended Action

Patch available

Update openclaw to version 2026.4.22

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-5h3g-6xhh-rg6p?

OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes

Is GHSA-5h3g-6xhh-rg6p actively exploited?

No confirmed active exploitation of GHSA-5h3g-6xhh-rg6p has been reported, but organizations should still patch proactively.

How to fix GHSA-5h3g-6xhh-rg6p?

Update to patched version: openclaw 2026.4.22.

What is the CVSS score for GHSA-5h3g-6xhh-rg6p?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read. ## Fix OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback. ## Fix Commit(s) - 95119017c847c737bd113f0bff728c4666d79c45 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary

References

Timeline

Published
May 4, 2026
Last Modified
May 4, 2026
First Seen
May 5, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed