High

OpenClaw OpenShell TOCTOU Arbitrary File Read Outside Mount Root

IdentifiersCVE-2026-44113CWE-367· Time-of-check Time-of-use (TOCTOU)…

CVE-2026-44113 is a high-severity time-of-check/time-of-use (TOCTOU) race condition in OpenClaw's OpenShell filesystem bridge affecting versions before 2026.4.22. During read operations, OpenShell validates a file path as being within the permitted mount root, but an attacker can race that validation by swapping the checked path with a symbolic link or other redirect pointer that resolves outside the allowed directory boundary before the file is actually opened or read. This breaks the intended sandbox and mount-root restrictions and allows unauthorized reads of files outside the sandboxed filesystem scope. Reported consequences include exposure of system files, internal artifacts, credentials, and other sensitive data the agent was not intended to access.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows bypass of OpenClaw/OpenShell sandbox read restrictions and unauthorized disclosure of files outside the intended mount root. Depending on host configuration and the privileges of the OpenClaw agent process, this can expose system files, internal application artifacts, API keys, tokens, credentials, and other sensitive data. In the broader Claw Chain context, the flaw can be used as a data-access and secret-exfiltration primitive that supports subsequent privilege escalation and persistence through other vulnerabilities.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exploitability by restricting OpenClaw exposure behind authentication and firewall controls, eliminating unnecessary public internet access, minimizing the filesystem scope available to the agent, and avoiding mounts that expose sensitive host paths. Run the agent with the least privileges possible, segregate sensitive credentials from agent-readable locations, and monitor for anomalous file access patterns or symlink manipulation within agent-accessible directories. These measures reduce risk but do not fully remediate the underlying race condition.

Remediation

Patch, then assume compromise.

Upgrade OpenClaw to version 2026.4.22 or later; the issue is reported as patched in that release and affects versions released before April 23, 2026. Apply the vendor fixes for the Claw Chain issues, then rotate any secrets that may have been exposed, including API keys, tokens, and credentials. Review agent-accessible files and mounts for unnecessary exposure and audit for signs of unauthorized file access.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

OpenclawOpenclawapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

govinfosecurityNews

May 19, 2026

Patched OpenClaw Flaw Let Hackers Hijack AI Agents

An OpenClaw file-read boundary bypass vulnerability that allows attackers to redirect a validated file path outside the permitted directory boundary and access system files and internal credentials.

bank info securityNews

May 19, 2026

Patched OpenClaw Flaw Let Hackers Hijack AI Agents

An OpenClaw read-side path validation / TOCTOU-style flaw that allows attackers to access files outside the permitted directory boundary, exposing system files and internal credentials.

scworldNews

May 18, 2026

4 vulnerabilities in OpenClaw AI agent put thousands of servers at risk | brief | SC Media

A high-severity OpenClaw vulnerability that is part of the Claw Chain set and can be chained with other flaws to facilitate data theft and privilege escalation.

cyber security newsNews

May 15, 2026

OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack

A high-severity TOCTOU race condition in OpenClaw read operations that allows attackers to swap validated paths with symlinks outside the allowed mount root, exposing system files and internal artifacts.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3