DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F7WW-2725-QVW2: GHSA-F7WW-2725-QVW2: TOCTOU Approval Bypass in OpenClaw via Symlink Rebinding

#security #cve #cybersecurity #ghsa

GHSA-F7WW-2725-QVW2: TOCTOU Approval Bypass in OpenClaw via Symlink Rebinding

Vulnerability ID: GHSA-F7WW-2725-QVW2
CVSS Score: High
Published: 2026-03-02

A high-severity Time-of-Check Time-of-Use (TOCTOU) vulnerability exists in the OpenClaw AI assistant framework, specifically within the system.run command approval workflow. The flaw allows local attackers or compromised sub-processes to bypass administrator approval restrictions by manipulating symbolic links in the Current Working Directory (CWD) path. By altering filesystem state between the approval phase and the execution phase, an attacker can redirect command execution to unauthorized, sensitive directories (e.g., /root or /etc) despite the administrator approving a benign path.

TL;DR

OpenClaw versions prior to 2026.2.26 contain a race condition in the command approval mechanism. Attackers can gain unauthorized filesystem access by swapping symbolic links in the target directory path after an administrator grants approval but before the command executes. This bypasses security controls intended to restrict agent behavior.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-367 (TOCTOU)
  • Attack Vector: Local / Context-Dependent
  • Severity: High
  • CVSS Score: High (N/A)
  • Exploit Status: Conceptual PoC
  • Patch Date: 2026-02-26

Affected Systems

  • OpenClaw
  • OpenClaw: < 2026.2.26 (Fixed in: 2026.2.26)

Code Analysis

Commit: 78a7ff2

Harden node exec approvals by disallowing mutable symlinks in path

Commit: 4b4718c

Decompose nodes run approval flow to use immutable plans

Mitigation Strategies

  • Upgrade to OpenClaw v2026.2.26
  • Enforce Least Privilege for Agent processes
  • Restrict writable directories in agent environments

Remediation Steps:

  1. Identify all instances of OpenClaw running in the infrastructure.
  2. Update the openclaw dependency in package.json to ^2026.2.26.
  3. Rebuild and redeploy the Node agents.
  4. Verify the fix by attempting to execute a command via a symlinked path in a writable directory; the system should now reject this request.

References

Read the full report for GHSA-F7WW-2725-QVW2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)