Time-of-Check/Time-of-Use Race Condition in OpenClaw by OpenClaw
CVE-2026-44113

8.3HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 6 May 2026

🔔 Create Openclaw Vulnerability Alert

Badges

📰 News Worthy

What is CVE-2026-44113?

Recent vulnerabilities in OpenClaw prior to version 2026.4.22 expose users to significant risks through a time-of-check/time-of-use race condition within the OpenShell filesystem bridge. This flaw permits attackers to manipulate symlink swaps during filesystem operations, potentially allowing them to breach sandbox restrictions and gain unauthorized access to sensitive files. Specifically, the vulnerability enables the reading of files beyond the scope of the intended mount root, putting critical data at risk.

Affected Version(s)

OpenClaw 0 < 2026.4.22

OpenClaw 2026.4.22

News Articles

The Hacker News

CVE-2026-44112 CVE-2026-44113

Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence

Claw Chain flaws in OpenClaw 2026.4.22 enable data theft, privilege escalation, and persistence when chained.

3 weeks ago

thmubnail image

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/95119017c847c...

https://www.vulncheck.com/advisories/openclaw-time-of-che...

third-party-advisory

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by The Hacker News
May 15, 2026
Vulnerability published
May 6, 2026
Vulnerability Reserved
May 5, 2026

Credit

vladimir tokarev (@VladimirEliTokarev)

CVE-2026-44113 Data

.