CVE-2026-32977
OpenClaw: Sandbox `writeFile` commit could race outside the validated path
Description
## Summary In affected versions of `openclaw`, the sandbox fs-bridge `writeFile` commit step used an unanchored container path during the final move into place. An attacker racing parent-path changes inside the sandbox could redirect the committed file outside the validated sandbox path. ## Impact This is a sandbox boundary bypass. In-sandbox code could win a time-of-check-time-of-use race and cause host-approved `writeFile` operations to land outside the validated writable path within the container mount namespace. ## Affected Packages and Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.3.11` - Fixed in: `2026.3.11` ## Technical Details The hardening work for anchored remove, rename, and mkdir operations did not fully cover the `writeFile` commit path. The final `mv` still used the raw target path, leaving a race window between safety revalidation and the in-container commit step. ## Fix OpenClaw now anchors the `writeFile` commit path to the canonical parent directory before the final move. The fix shipped in `[email protected]`. ## Workarounds Upgrade to `2026.3.11` or later.
How to fix CVE-2026-32977
To remediate CVE-2026-32977, upgrade the affected package to a fixed version below.
- —upgrade to 2026.3.11 or later
Is CVE-2026-32977 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.3.11
CVSS scores
| Source |
|---|