GHSA-xxj4-96ph-g6j6: Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path

March 31, 2026 (updated April 6, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-xvx8-77m6-gwg6. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths inside the sandbox to redirect committed files outside the validated writable path within the container mount namespace.

References

Code Behaviors & Features

Detect and mitigate GHSA-xxj4-96ph-g6j6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →