CVE-2026-41296: OpenClaw Sandbox Escape via TOCTOU Race — What You Need to Know

April 22, 2026 · ClawReady Team

A HIGH severity CVE was published on April 20 for OpenClaw. CVE-2026-41296 is a time-of-check-time-of-use (TOCTOU) race condition in the remote filesystem bridge that allows sandbox escape — meaning an attacker with low privileges can read arbitrary files outside the intended sandbox boundary.

If you're running OpenClaw before version 2026.3.31, patch now.

CVE details

• CVE ID: CVE-2026-41296
• Severity: HIGH — CVSS v3.1 score 8.2
• Attack vector: Network (AV:N)
• Attack complexity: High (AC:H)
• Privileges required: Low (PR:L)
• User interaction: None required (UI:N)
• Scope: Changed — sandbox boundary is crossed
• Impact: High confidentiality and integrity impact (C:H, I:H)
• Affected versions: OpenClaw before 2026.3.31
• Fixed in: 2026.3.31
• Published: April 20, 2026
• CWE: CWE-367 (Time-of-check Time-of-use Race Condition)

What the vulnerability is

The bug lives in the remote filesystem bridge's readFile function. The problem is a classic TOCTOU pattern: OpenClaw validates the file path at one point in time, then performs the actual file read as a separate operation. Between those two steps — the check and the use — an attacker can swap out the path target to point to a file outside the sandbox.

In practice: an attacker with low-level access (a plugin, a skill, or a crafted request that reaches the remote filesystem bridge) can race the check-to-read window to read arbitrary files on the host system. Environment files, key stores, config files, secrets — anything readable by the OpenClaw process is potentially accessible.

Who is affected

• Any OpenClaw instance running before 2026.3.31
• Higher risk if your gateway is exposed to the network (remote bridge enabled)
• Higher risk if you allow third-party plugins or skills with filesystem access
• Lower risk if you're running fully local with no remote bridge and trusted-only skills

OpenClaw 2026.3.31 and all later releases (4.x) are patched. If you've been keeping up with updates, you're already covered. If you've been holding on an older version, this is the reason to update.

How to verify your version

openclaw --version

If the output is earlier than 2026.3.31, you're vulnerable. Update immediately:

npm install -g openclaw@latest

Or if using npm with a prefix:

npm install -g --prefix ~/.npm-global openclaw@latest

Immediate mitigations if you can't update

If updating right now isn't possible:

1. Disable the remote filesystem bridge in your gateway config if you don't need it
2. Restrict plugin/skill permissions — only run trusted, reviewed skills
3. Monitor logs for anomalous readFile calls or 4xx/5xx spikes on the remote bridge endpoint
4. Audit your environment files — know what's readable by the OpenClaw process and reduce exposure where possible

References

• GitHub Security Advisory GHSA-9p3r-hh9g-5cmg
• Fix commit 121870a

ClawReady's posture

All ClawReady-configured setups should already be running 4.x (well past the 3.31 fix). If you had a ClawReady setup done before March 31 and haven't updated since, run the version check above. If you're unsure about your exposure, ClawReady's security audit tier covers exactly this: version verification, bridge configuration review, and permission hardening.