GHSA-wppj-c6mr-83jj: OpenClaw TOCTOU sandbox escape

Q: Is GHSA-wppj-c6mr-83jj actively exploited?

No confirmed active exploitation of GHSA-wppj-c6mr-83jj has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-wppj-c6mr-83jj?

1. Patch immediately: upgrade openclaw to 2026.4.22 (fix commit 7be82d4). 2. Audit agent filesystem activity logs for writes landing outside expected sandbox paths — specifically look for writes to parent directories relative to the sandbox mount root. 3. If patching is not immediately possible, restrict agent filesystem tool permissions to read-only and enforce symlink restrictions at the OS level via seccomp or AppArmor policies. 4. Audit all installed third-party OpenClaw skills against the AIID #1368 malicious skills report; remove any unverified or recently-added skills pending review. 5. Deploy host-level integrity monitoring (Falco, AIDE) to detect unexpected file creation or modification outside agent-designated directories. 6. In multi-tenant environments, add host isolation (separate VMs or namespaces) for untrusted agent workloads until patched.

Q: What systems are affected by GHSA-wppj-c6mr-83jj?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent sandboxing, model serving with filesystem access, multi-tenant agent platforms.

Q: What is the CVSS score for GHSA-wppj-c6mr-83jj?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's OpenShell filesystem bridge contains a time-of-check/time-of-use race condition that allows a symlink swap to redirect agent-initiated writes outside the intended sandbox mount root — effectively a full sandbox escape to the host filesystem. For organizations using openclaw as an AI agent framework, this breaks the trust boundary that sandboxing provides: any attacker who can influence agent tool invocations can write arbitrary files on the host. The severity is compounded by the documented malicious skills ecosystem: AIID #1368 (February 2026) reported ~17% of third-party OpenClaw skills assessed as malicious, delivering credential stealers — that same vector now has a host-escape primitive attached to it. Patch to openclaw 2026.4.22 immediately; if patching cannot happen today, restrict agent filesystem operations to read-only at the OS level via seccomp or AppArmor and audit all installed third-party skills.

Sources: GitHub Advisory ATLAS AIID

What is the risk?

High severity sandbox escape in an AI agent framework. TOCTOU exploitation requires timing but is a well-understood attack class with widely available tooling, placing it solidly in the moderate sophistication tier. The vulnerability directly defeats sandboxing as a security control — a foundational isolation mechanism in agentic AI deployments. With 135 prior CVEs recorded against openclaw and an active documented malicious skills ecosystem, the probability of chained exploitation is elevated above the baseline suggested by the 4-dependent count. No public exploit or CISA KEV entry at time of analysis, but the host-write primitive in an environment where malicious skills are already circulating warrants treating this as urgent.

How does the attack unfold?

Malicious Skill Delivery

Adversary publishes or compromises a third-party OpenClaw skill that, when invoked, triggers an agent filesystem write operation to a path the attacker controls.

AML.T0010.005

Race Condition Setup

Adversary replaces a directory component in the write target path with a symlink pointing to a sensitive host directory (e.g., /root/.ssh or /etc/cron.d) in the window between path validation and the actual write.

AML.T0049

Sandbox Escape

OpenShell bridge validates the canonical path at check-time but writes to the resolved symlink target at use-time, landing the write outside the sandbox mount root on the host filesystem.

AML.T0105

Host Persistence

Adversary uses the arbitrary host write primitive to implant backdoors, inject authorized SSH keys, or place malicious cron entries for persistent access and privilege escalation beyond the agent environment.

AML.T0112.000

Malicious Skill Delivery

Adversary publishes or compromises a third-party OpenClaw skill that, when invoked, triggers an agent filesystem write operation to a path the attacker controls.

AML.T0010.005

Race Condition Setup

Adversary replaces a directory component in the write target path with a symlink pointing to a sensitive host directory (e.g., /root/.ssh or /etc/cron.d) in the window between path validation and the actual write.

AML.T0049

Sandbox Escape

OpenShell bridge validates the canonical path at check-time but writes to the resolved symlink target at use-time, landing the write outside the sandbox mount root on the host filesystem.

AML.T0105

Host Persistence

Adversary uses the arbitrary host write primitive to implant backdoors, inject authorized SSH keys, or place malicious cron entries for persistent access and privilege escalation beyond the agent environment.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	<= 2026.4.21	`2026.4.22`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch immediately: upgrade openclaw to 2026.4.22 (fix commit 7be82d4).
Audit agent filesystem activity logs for writes landing outside expected sandbox paths — specifically look for writes to parent directories relative to the sandbox mount root.
If patching is not immediately possible, restrict agent filesystem tool permissions to read-only and enforce symlink restrictions at the OS level via seccomp or AppArmor policies.
Audit all installed third-party OpenClaw skills against the AIID #1368 malicious skills report; remove any unverified or recently-added skills pending review.
Deploy host-level integrity monitoring (Falco, AIDE) to detect unexpected file creation or modification outside agent-designated directories.
In multi-tenant environments, add host isolation (separate VMs or namespaces) for untrusted agent workloads until patched.

How is it classified?

Code Execution Supply Chain Auth Bypass Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Technical security measures for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms exist to sustain appropriate AI risk management operations

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-wppj-c6mr-83jj?

OpenClaw's OpenShell filesystem bridge contains a time-of-check/time-of-use race condition that allows a symlink swap to redirect agent-initiated writes outside the intended sandbox mount root — effectively a full sandbox escape to the host filesystem. For organizations using openclaw as an AI agent framework, this breaks the trust boundary that sandboxing provides: any attacker who can influence agent tool invocations can write arbitrary files on the host. The severity is compounded by the documented malicious skills ecosystem: AIID #1368 (February 2026) reported ~17% of third-party OpenClaw skills assessed as malicious, delivering credential stealers — that same vector now has a host-escape primitive attached to it. Patch to openclaw 2026.4.22 immediately; if patching cannot happen today, restrict agent filesystem operations to read-only at the OS level via seccomp or AppArmor and audit all installed third-party skills.

Is GHSA-wppj-c6mr-83jj actively exploited?

No confirmed active exploitation of GHSA-wppj-c6mr-83jj has been reported, but organizations should still patch proactively.

How to fix GHSA-wppj-c6mr-83jj?

1. Patch immediately: upgrade openclaw to 2026.4.22 (fix commit 7be82d4). 2. Audit agent filesystem activity logs for writes landing outside expected sandbox paths — specifically look for writes to parent directories relative to the sandbox mount root. 3. If patching is not immediately possible, restrict agent filesystem tool permissions to read-only and enforce symlink restrictions at the OS level via seccomp or AppArmor policies. 4. Audit all installed third-party OpenClaw skills against the AIID #1368 malicious skills report; remove any unverified or recently-added skills pending review. 5. Deploy host-level integrity monitoring (Falco, AIDE) to detect unexpected file creation or modification outside agent-designated directories. 6. In multi-tenant environments, add host isolation (separate VMs or namespaces) for untrusted agent workloads until patched.

What systems are affected by GHSA-wppj-c6mr-83jj?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent sandboxing, model serving with filesystem access, multi-tenant agent platforms.

What is the CVSS score for GHSA-wppj-c6mr-83jj?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent sandboxingmodel serving with filesystem accessmulti-tenant agent platforms

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.9.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

## Summary OpenShell FS bridge writes stay pinned to the sandbox mount root. ## Affected Packages / Versions - Package: openclaw (npm) - Affected versions: <= 2026.4.21 - Fixed version: 2026.4.22 ## Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap redirect a write outside the intended local mount root. ## Fix OpenShell write paths now validate the canonical target against the mount root, reject unsafe symlink parents and symlink leaves for writes, and use root-scoped write helpers before syncing to the remote sandbox. ## Fix Commit(s) - 7be82d4fd1193bcb7e44ee38838f00bf924ffa76 ## Verification - The fix commit is contained in the public v2026.4.22 tag. - openclaw@2026.4.22 is published on npm and the compiled package contains the fix. - Focused regression coverage for this path passed before publication. OpenClaw thanks @VladimirEliTokarev for reporting.

Exploitation Scenario

An attacker publishes a malicious third-party OpenClaw skill — consistent with the AIID #1368 pattern — designed to trigger a write to a controlled path inside the sandbox mount root. When the skill is invoked by a victim agent, the attacker races to replace a directory component of the target path with a symlink pointing to a sensitive host location (e.g., /root/.ssh, /etc/cron.d, or a shared library path). OpenShell validates the canonical path at check-time before the write begins, but by use-time the symlink is in place and the write lands on the host. The attacker then writes an authorized_keys entry or a cron job stub, achieving persistent host access without ever leaving the agent interface.

Weaknesses (CWE)

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition: The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

[Implementation] The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
[Implementation] When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.

Source: MITRE CWE corpus.