Main Vulnerability Database Vulnerabilities #VU132696

Time-of-check Time-of-use (TOCTOU) Race Condition in OpenClaw - #VU132696

Published: May 29, 2026

Vulnerability identifier: #VU132696

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-367

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to bypass an intended allowlist decision and execute inline shell content.

The vulnerability exists due to a time-of-check time-of-use race condition in the exec revalidation logic when processing command requests with combined POSIX shell flags. A remote user can send a crafted command request to bypass an intended allowlist decision and execute inline shell content.

Only configurations where the affected feature is enabled and reachable are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-vxx3-6hc9-7cc3

Time-of-check Time-of-use (TOCTOU) Race Condition in OpenClaw - #VU132696

Detailed vulnerability description

Remediation

Sources

Please verify you're human