OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
Moderate severity
GitHub Reviewed
Published
Apr 23, 2026
in
openclaw/openclaw
•
Updated May 12, 2026
Description
Published to the GitHub Advisory Database
May 4, 2026
Reviewed
May 4, 2026
Last updated
May 12, 2026
Summary
OpenShell FS bridge reads pin and verify the opened file before returning bytes
Affected Packages / Versions
Impact
A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a symlink swap cause bytes outside the intended mount root to be read.
Fix
OpenShell reads now open the file with no-follow semantics where available, validate the pinned file descriptor against the canonical mount root, reject unsafe hardlink/symlink cases, and use a strict fallback ancestor walk on platforms without fd-path readback.
Fix Commit(s)
Verification
Thanks @VladimirEliTokarev for reporting.
References