Time-of-check Time-of-use (TOCTOU) Race Condition in OpenClaw - CVE-2026-32921
Published: April 8, 2026
Vulnerability identifier: #VU125139
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32921
CWE-ID: CWE-367
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to bypass approved script content constraints and execute unintended code.
The vulnerability exists due to a time-of-check time-of-use race condition in the system.run approval flow when processing interpreter-style script operands across approval and execution. A remote user can obtain approval for a command, modify the approved script before execution, and then execute different content under the previously approved command shape to bypass approved script content constraints and execute unintended code.
The issue affects mutable script operands where the approved argv values remain unchanged while the on-disk script content drifts after approval.
How to mitigate CVE-2026-32921
Install security update from vendor's website.