GHSA-5h3g-6xhh-rg6p: OpenClaw TOCTOU race

CISO Take

OpenClaw's filesystem bridge contains a time-of-check/time-of-use race condition that lets an attacker swap a symlink between path validation and the actual byte read, causing the agent's sandbox to read files outside its intended mount root — including host credentials, LLM API keys, and configuration files. For teams running AI agent workflows with OpenClaw, this is not an isolated finding: the package carries 135 historical CVEs and AIID incident #1368 documents malicious OpenClaw skills actively distributing the AMOS Stealer for credential exfiltration, confirming real-world exploitation of this ecosystem. No EPSS data or public exploit exists yet, but the combination of low-barrier tooling (skills ecosystem), documented ecosystem abuse, and sensitive data access within typical agent deployments elevates practical risk above the nominal CVSS score. Upgrade to openclaw@2026.4.22 immediately — no viable workaround exists short of OS-level filesystem isolation.

Sources: GitHub Advisory ATLAS AIID

What is the risk?

Medium severity in isolation, elevated in AI agent deployments where OpenClaw processes untrusted inputs or third-party skills with filesystem access. The TOCTOU race requires timing precision that prevents trivial exploitation, but an adversary controlling agent inputs or distributing a malicious skill (as documented in AIID #1368) can reliably trigger it with repeated attempts. The package's 135-CVE history signals systemic security debt, and the skills ecosystem abuse documented in the incident database means the attack surface is broader than the npm download count alone suggests.

How does the attack unfold?

Skill Delivery

Adversary publishes or compromises a malicious OpenClaw skill in the skills ecosystem, gaining a code execution foothold within the agent's tool invocation context.

AML.T0053

TOCTOU Race

The malicious skill triggers the OpenShell FS bridge read path and concurrently races a symlink swap between the file validation check and the actual byte read, redirecting access to a sensitive target outside the mount root.

AML.T0105

Sandbox Escape

The symlink resolves to a sensitive file outside the intended mount root (e.g., LLM API keys, AWS credentials, agent configuration), which the FS bridge reads and returns as if it were the originally requested file.

AML.T0037

Credential Exfiltration

Sensitive file contents are returned to the malicious skill and exfiltrated to an attacker-controlled endpoint, enabling follow-on access to AI services or downstream infrastructure.

AML.T0025

Skill Delivery

Adversary publishes or compromises a malicious OpenClaw skill in the skills ecosystem, gaining a code execution foothold within the agent's tool invocation context.

AML.T0053

TOCTOU Race

The malicious skill triggers the OpenShell FS bridge read path and concurrently races a symlink swap between the file validation check and the actual byte read, redirecting access to a sensitive target outside the mount root.

AML.T0105

Sandbox Escape

The symlink resolves to a sensitive file outside the intended mount root (e.g., LLM API keys, AWS credentials, agent configuration), which the FS bridge reads and returns as if it were the originally requested file.

AML.T0037

Credential Exfiltration

Sensitive file contents are returned to the malicious skill and exfiltrated to an attacker-controlled endpoint, enabling follow-on access to AI services or downstream infrastructure.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	<= 2026.4.21	`2026.4.22`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw to >= 2026.4.22 immediately — the fix introduces O_NOFOLLOW semantics, file descriptor pinning validated against canonical mount root, and rejection of hardlink and symlink bypass attempts.
If upgrade is blocked, confine the OpenClaw process to a dedicated low-privilege user and apply OS-level filesystem restrictions (AppArmor profile or seccomp filter) limiting accessible directory trees to only what the agent legitimately needs.
Audit installed OpenClaw skills and third-party plugins for provenance, given the documented skills-ecosystem abuse in AIID #1368.
Rotate any credentials or API keys accessible from the OpenClaw process's working directories on affected versions.
Review filesystem access logs for anomalous reads outside expected agent working directories as an indicator of prior exploitation.

How is it classified?

Data Extraction Privacy Violation Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.6.2 - Processes to address AI-related risks

NIST AI RMF

MANAGE 2.2 - Mechanisms to track and manage AI risks

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-5h3g-6xhh-rg6p?

OpenClaw's filesystem bridge contains a time-of-check/time-of-use race condition that lets an attacker swap a symlink between path validation and the actual byte read, causing the agent's sandbox to read files outside its intended mount root — including host credentials, LLM API keys, and configuration files. For teams running AI agent workflows with OpenClaw, this is not an isolated finding: the package carries 135 historical CVEs and AIID incident #1368 documents malicious OpenClaw skills actively distributing the AMOS Stealer for credential exfiltration, confirming real-world exploitation of this ecosystem. No EPSS data or public exploit exists yet, but the combination of low-barrier tooling (skills ecosystem), documented ecosystem abuse, and sensitive data access within typical agent deployments elevates practical risk above the nominal CVSS score. Upgrade to openclaw@2026.4.22 immediately — no viable workaround exists short of OS-level filesystem isolation.

Is GHSA-5h3g-6xhh-rg6p actively exploited?

No confirmed active exploitation of GHSA-5h3g-6xhh-rg6p has been reported, but organizations should still patch proactively.

How to fix GHSA-5h3g-6xhh-rg6p?

1. Upgrade openclaw to >= 2026.4.22 immediately — the fix introduces O_NOFOLLOW semantics, file descriptor pinning validated against canonical mount root, and rejection of hardlink and symlink bypass attempts. 2. If upgrade is blocked, confine the OpenClaw process to a dedicated low-privilege user and apply OS-level filesystem restrictions (AppArmor profile or seccomp filter) limiting accessible directory trees to only what the agent legitimately needs. 3. Audit installed OpenClaw skills and third-party plugins for provenance, given the documented skills-ecosystem abuse in AIID #1368. 4. Rotate any credentials or API keys accessible from the OpenClaw process's working directories on affected versions. 5. Review filesystem access logs for anomalous reads outside expected agent working directories as an indicator of prior exploitation.

What systems are affected by GHSA-5h3g-6xhh-rg6p?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent sandboxes, local AI agent deployments, AI tool orchestration platforms.

What is the CVSS score for GHSA-5h3g-6xhh-rg6p?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent sandboxeslocal AI agent deploymentsAI tool orchestration platforms

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0037 Data from Local System

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

Compliance Controls Affected

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

## Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read. ## Fix OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback. ## Fix Commit(s) - 95119017c847c737bd113f0bff728c4666d79c45 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting.

Exploitation Scenario

An adversary publishes or compromises a malicious OpenClaw skill (consistent with the AIID #1368 attack pattern documented in February 2026). The skill invokes the OpenShell FS bridge to read a legitimate file within the allowed mount root, while concurrently racing a symlink replacement — swapping the target path to point to /root/.aws/credentials, the agent's LLM API key file, or another high-value target. Between OpenShell's validation check and the actual file descriptor read, the symlink resolves to the sensitive target outside the mount root. The skill receives the file contents as if they were the originally requested file and exfiltrates them to an attacker-controlled endpoint. In containerized deployments lacking additional OS-level controls, repeated race attempts achieve reliable success within seconds.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

[Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
[Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.