Executive Summary

CVE-2026-32043 is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability in OpenClaw versions prior to 2026.2.25. It occurs in the approval-bound system.run execution process where the current working directory (cwd) parameter is validated at approval time but resolved at execution time.

This discrepancy allows an attacker to manipulate a symbolic link (symlink) for the cwd between the approval and execution phases. By retargeting the symlinked cwd, the attacker can bypass command execution restrictions and execute arbitrary commands on node hosts.

The vulnerability arises because the approval process treats the cwd as static text, but the actual execution resolves the cwd dynamically, enabling exploitation through mutable symlink targets.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with local access and low privileges to bypass command execution restrictions by manipulating the cwd symlink between approval and execution.

As a result, the attacker can execute arbitrary commands on node hosts, potentially compromising system integrity and availability.

Because the attack exploits a race condition in the approval process, it undermines the security boundary intended to ensure operator-reviewed command execution, leading to unauthorized command execution.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves manipulation of symbolic links (symlinks) in the current working directory (cwd) parameter between approval and execution time in OpenClaw system.run commands. Detection involves checking for symlink usage in cwd paths and verifying if any commands are executed with symlinked cwd or executable paths.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation by searching for system.run executions where the cwd is a symlink or where executable paths are manipulated via symlinks.'}, {'type': 'list_item', 'content': 'Use filesystem commands to identify symlinks in directories used as cwd, for example: `find /path/to/monitored/directories -type l`'}, {'type': 'list_item', 'content': 'Check running processes or command executions for cwd symlinks by inspecting process information, e.g., `ls -l /proc/<pid>/cwd` on Linux systems.'}, {'type': 'list_item', 'content': 'Audit logs or command approval logs in OpenClaw for error messages indicating denial due to symlinked cwd or executable paths, such as messages containing "SYSTEM_RUN_DENIED".'}, {'type': 'paragraph', 'content': 'Since the vulnerability is specific to OpenClaw versions prior to 2026.2.25, ensure your monitoring includes version checks and look for attempts to exploit TOCTOU race conditions involving symlinked cwd.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.2.25 or later, where the vulnerability is fixed.

The fix includes rejecting symlinked cwd paths during approval-bound system.run executions and canonicalizing executable paths to prevent symlink manipulation.

• Upgrade OpenClaw to version 2026.2.25 or newer.
• Ensure that the cwd used in system.run commands is not a symbolic link.
• Verify that executable paths are canonicalized and not replaced via symlink chains.

If upgrading immediately is not possible, consider restricting permissions to prevent attackers from creating or modifying symlinks in directories used as cwd for system.run commands.

Useful 0 Not Useful 0