AI Threat Alert
## Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary...
Full CISO analysis pending enrichment.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| openclaw | npm | < 2026.4.10 | 2026.4.10 |
Do you use openclaw? You're affected.
Severity & Risk
Recommended Action
Patch available
Update openclaw to version 2026.4.10
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is GHSA-gj9q-8w99-mp8j?
OpenClaw: TOCTOU read in exec script preflight
Is GHSA-gj9q-8w99-mp8j actively exploited?
No confirmed active exploitation of GHSA-gj9q-8w99-mp8j has been reported, but organizations should still patch proactively.
How to fix GHSA-gj9q-8w99-mp8j?
Update to patched version: openclaw 2026.4.10.
What is the CVSS score for GHSA-gj9q-8w99-mp8j?
No CVSS score has been assigned yet.
Technical Details
NVD Description
## Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The impact is limited. This was not arbitrary full-file disclosure through the preflight error path. The validator only surfaced derived preflight content, such as a matched token, a line number, or the first non-empty JavaScript line in one branch. Exploitation also required the ability to mutate the relevant workspace path during the preflight window. Still, this was a real TOCTOU boundary bug in code that is supposed to reason about workspace-local script files before execution. A file identity that passed the initial boundary validation could differ from the identity that was later read for preflight analysis. ## Technical Details The vulnerable flow performed separate path validation and file reads in `validateScriptFileForShellBleed`. Because the read was path-based, an attacker with write access to the workspace path could race replacement of the target after validation but before preflight read. ## Fix PR #62333 replaced the check-then-read flow with a pinned safe-open/read path using the shared `readFileWithinRoot` helper. The fixed path performs boundary verification around the opened file identity and avoids relying on a mutable pathname for the final preflight read. Regression tests cover both pre-open and post-open swap windows. ## Fix Commit(s) - `b024fae9e5df43e9b69b2daebb72be3469d52e91` (`fix(exec): replace TOCTOU check-then-read with atomic pinned-fd open in script preflight [AI]`) - PR: #62333 ## Release Process Note The fix first shipped in `v2026.4.10`. Users should upgrade to `openclaw` `2026.4.10` or newer; the latest npm release already includes the fix. ## Credits Thanks to @kikayli for reporting this issue.
Weaknesses (CWE)
References
Timeline
Related Vulnerabilities
CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-28451 9.3 OpenClaw: SSRF via Feishu extension exposes internal services
Same package: openclaw GHSA-m3mh-3mpg-37hw 8.6 OpenClaw: .npmrc hijack enables RCE on plugin install
Same package: openclaw CVE-2026-27001 7.8 OpenClaw: prompt injection via unsanitized workspace path
Same package: openclaw GHSA-hr5v-j9h9-xjhg 7.7 OpenClaw: sandbox escape via mediaUrl path traversal
Same package: openclaw