#VU125139 Time-of-check Time-of-use (TOCTOU) Race Condition in OpenClaw - CVE-2026-32921
Published: April 8, 2026
Vulnerability identifier: #VU125139
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32921
CWE-ID: CWE-367
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote user to bypass approved script content constraints and execute unintended code.
The vulnerability exists due to a time-of-check time-of-use race condition in the system.run approval flow when processing interpreter-style script operands across approval and execution. A remote user can obtain approval for a command, modify the approved script before execution, and then execute different content under the previously approved command shape to bypass approved script content constraints and execute unintended code.
The issue affects mutable script operands where the approved argv values remain unchanged while the on-disk script content drifts after approval.
Remediation
Install security update from vendor's website.