SB2026052913 - Multiple vulnerabilities in OpenClaw

Description

This security bulletin contains information about 2 vulnerabilities.

1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to obtain broader node authority than intended.

The vulnerability exists due to a time-of-check time-of-use race condition in the node pairing reconnection feature when handling paired or reconnecting node sessions. A remote user can manipulate pairing state transitions to obtain broader node authority than intended.

Only instances with the affected feature enabled and reachable are vulnerable. Practical impact depends on operator configuration and whether lower-trust input can reach the affected path.

2) Untrusted search path (CVE-ID: N/A)

CWE-ID: CWE-426 - Untrusted Search Path

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a local user to execute an unintended executable.

The vulnerability exists due to improper control of executable selection in the skill install helper when processing a workspace .env file during skill install flows. A local user can place a crafted .env file in a repository to execute an unintended executable.

Only installations with the affected feature enabled and reachable are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm
• https://github.com/openclaw/openclaw/security/advisories/GHSA-8wg3-5mcm-fjq8