CVE-2026-43529: OpenClaw: TOCTOU read in exec script preflight

April 16, 2026 (updated May 5, 2026)

OpenClaw’s exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check.

References

github.com/advisories/GHSA-gj9q-8w99-mp8j
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/b024fae9e5df43e9b69b2daebb72be3469d52e91
github.com/openclaw/openclaw/pull/62333
github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j
nvd.nist.gov/vuln/detail/CVE-2026-43529

Code Behaviors & Features

Detect and mitigate CVE-2026-43529 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →