CVE-2026-43529 OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator

OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and...

CVE-2026-43529

OpenClaw before 2026.4.10 has a time-of-check-time-of-use (TOCTOU) race condition in validateScriptFileForShellBleed that lets a local attacker with workspace write access bypass workspace boundary checks. The attacker can race-condition the target file swap between validation and preflight read,...

OpenClaw: TOCTOU read in exec script preflight

Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check...

OpenClaw's complex interpreter pipelines could skip exec script preflight validation

Summary Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely. Impact An attacker-controlled command shape could bypass the...