CVE-2026-44112
CriticalSummary
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root.
Risk Assessment
This vulnerability poses a risk of unauthorized access to the filesystem, potentially leading to data loss or system integrity breaches. Organizations should be aware of the possibility of attackers bypassing sandbox protections.
Recommendation
It is recommended to update OpenClaw to version 2026.4.22 or later to mitigate this vulnerability. Additionally, conducting a filesystem security audit is advisable to minimize risks.
Original NVD description (English source)
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root.

