AI Threat Alert
A time-of-check/time-of-use race condition in openclaw's exec script preflight validator allowed a local attacker with write access to the workspace to swap the validated script file in the window between path validation and the subsequent preflight read, so the boundary check applied to one file identity while analysis ran on another. Impact is deliberately constrained by design — the preflight error path only surfaced derived metadata such as a matched token, a line number, or the first non-empty JavaScript line of the swapped file, not full content disclosure. With only 2 known downstream dependents, no public exploit, no CISA KEV listing, and no EPSS data, the real-world blast radius is narrow; however, openclaw carries 68 prior CVEs, a pattern that warrants supply chain scrutiny for any agentic pipeline depending on it. Upgrade to openclaw 2026.4.10 or later; if patching is blocked, restrict filesystem write permissions on all workspace paths accessible to the openclaw exec runtime.
What is the risk?
Overall risk is LOW. Exploitation requires a local attacker who already holds write access to the workspace path — this is not remotely triggerable. The TOCTOU window is narrow and timing-sensitive, raising practical exploitation difficulty. Data exposure is limited to derived preflight metadata (tokens, line numbers, first JS line), not arbitrary file read. No active exploitation evidence, no public PoC, and an extremely small downstream install base (2 dependents) further constrain risk. The primary concern is the signal it sends about openclaw's security maturity given 68 CVEs in the same package.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.10 | 2026.4.10 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
4 steps-
Patch: Upgrade openclaw to version 2026.4.10 or newer — the fix replaces the vulnerable check-then-read pattern with a pinned atomic open using readFileWithinRoot, which anchors boundary verification to the opened file descriptor rather than the mutable pathname.
-
Access control: Until patching is complete, restrict write permissions on all workspace paths that openclaw exec accesses to the minimum required principal set — deny write to any process or user not explicitly authorized.
-
Detection: Monitor workspace paths for unexpected file replacement activity during script execution windows (inotify/FSEvents on the workspace directory).
-
Supply chain hygiene: Audit openclaw's 68-CVE history to assess whether continued dependency is warranted; evaluate alternative agentic script execution frameworks with stronger security track records.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-gj9q-8w99-mp8j?
A time-of-check/time-of-use race condition in openclaw's exec script preflight validator allowed a local attacker with write access to the workspace to swap the validated script file in the window between path validation and the subsequent preflight read, so the boundary check applied to one file identity while analysis ran on another. Impact is deliberately constrained by design — the preflight error path only surfaced derived metadata such as a matched token, a line number, or the first non-empty JavaScript line of the swapped file, not full content disclosure. With only 2 known downstream dependents, no public exploit, no CISA KEV listing, and no EPSS data, the real-world blast radius is narrow; however, openclaw carries 68 prior CVEs, a pattern that warrants supply chain scrutiny for any agentic pipeline depending on it. Upgrade to openclaw 2026.4.10 or later; if patching is blocked, restrict filesystem write permissions on all workspace paths accessible to the openclaw exec runtime.
Is GHSA-gj9q-8w99-mp8j actively exploited?
No confirmed active exploitation of GHSA-gj9q-8w99-mp8j has been reported, but organizations should still patch proactively.
How to fix GHSA-gj9q-8w99-mp8j?
1. Patch: Upgrade openclaw to version 2026.4.10 or newer — the fix replaces the vulnerable check-then-read pattern with a pinned atomic open using readFileWithinRoot, which anchors boundary verification to the opened file descriptor rather than the mutable pathname. 2. Access control: Until patching is complete, restrict write permissions on all workspace paths that openclaw exec accesses to the minimum required principal set — deny write to any process or user not explicitly authorized. 3. Detection: Monitor workspace paths for unexpected file replacement activity during script execution windows (inotify/FSEvents on the workspace directory). 4. Supply chain hygiene: Audit openclaw's 68-CVE history to assess whether continued dependency is warranted; evaluate alternative agentic script execution frameworks with stronger security track records.
What systems are affected by GHSA-gj9q-8w99-mp8j?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agent deployments, agentic script execution pipelines.
What is the CVSS score for GHSA-gj9q-8w99-mp8j?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0037 Data from Local System AML.T0053 AI Agent Tool Invocation AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window. Still, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis. ## Technical Details The vulnerable flow performed separate path validation and file reads in `validateScriptFileForShellBleed`. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read. ## Fix PR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared `readFileWithinRoot` helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows. ## Fix Commit(s) - `b024fae9e5df43e9b69b2daebb72be3469d52e91` (`fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open in script preflight [AI]`) - PR: #62333 ## Release Process Note The fix first shipped in `v2026.4.10`. Users should upgrade to `openclaw` `2026.4.10` or newer; the latest npm release already includes the fix. ## Credits Thanks to @kikayli for reporting this issue.
Exploitation Scenario
An attacker with a local foothold — either a compromised low-privilege account or a malicious process already in the workspace — identifies that openclaw is about to execute an exec script. The attacker places a benign script at the target path that will pass openclaw's workspace boundary validation. Milliseconds after validation succeeds but before the preflight read executes, the attacker atomically replaces the file at that mutable pathname with a different file containing sensitive content (e.g., a credential file or internal configuration). The preflight reads the swapped file, and its error output surfaces a matched token, line number, or first JavaScript line from the attacker's target — partial information leakage that could reveal secrets or internal logic without triggering a full file read.
Weaknesses (CWE)
CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
- [Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
- [Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw