Cyber Resilience

CVE-2026-41296

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 9.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41296 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-41296, published on 2026-04-21, is a time-of-check-to-time-of-use (TOCTOU) race condition (CWE-367) in the remote filesystem bridge's readFile function within OpenClaw versions before 2026.3.31. The vulnerability arises from separate path validation and file read operations, allowing attackers to bypass sandbox restrictions and access arbitrary files on the system. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation changes the scope (S:C) to the broader system, enabling high-impact confidentiality and integrity violations (C:H/I:H), such as reading sensitive files outside the intended sandbox boundaries.

Mitigation details are provided in the GitHub commit at https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb, the OpenClaw security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg, and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile, which address the race condition in affected versions.

EU & UK References

Vulnerability details

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

TOCTOU race condition in remote FS bridge enables sandbox bypass for arbitrary file reads from low-priv context (facilitates T1005 Data from Local System) and constitutes exploitation for privilege escalation (T1068) due to scope change and high C/I impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32988Same product: Openclaw Openclaw
CVE-2026-32979Same product: Openclaw Openclaw
CVE-2026-33573Same product: Openclaw Openclaw
CVE-2026-35638Same product: Openclaw Openclaw
CVE-2026-35663Same product: Openclaw Openclaw
CVE-2026-43578Same product: Openclaw Openclaw
CVE-2026-41404Same product: Openclaw Openclaw
CVE-2026-41344Same product: Openclaw Openclaw
CVE-2026-32057Same product: Openclaw Openclaw
CVE-2026-41299Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-25 requires a reference monitor for reliable access mediation, directly preventing TOCTOU races in sandbox enforcement like the readFile function's separate path check and file read.

prevent

AC-3 mandates enforcement of access authorizations, addressing the failure to consistently restrict file reads within sandbox boundaries due to the race condition.

prevent

SC-50 requires robust software mechanisms for policy enforcement and separation, mitigating flaws in software sandboxes like the remote filesystem bridge's TOCTOU vulnerability.

References