{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/openclaw--2026.4.21/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw (\u003c= 2026.4.21)"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","symlink","race-condition","npm"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eOpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenClaw package or leverages an existing package.\u003c/li\u003e\n\u003cli\u003eThe package contains a symlink within the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application attempts to write to a file via the symlink.\u003c/li\u003e\n\u003cli\u003eBetween the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.\u003c/li\u003e\n\u003cli\u003eOpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to overwrite or modify arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this capability to gain elevated privileges or compromise sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Sandbox Escape via Symlink\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-openclaw-symlink/","summary":"A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.","title":"OpenClaw Symlink Race Condition Allows Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/"}],"language":"en","title":"CraftedSignal Threat Feed — Openclaw (\u003c= 2026.4.21)","version":"https://jsonfeed.org/version/1.1"}