Proactive Collection — Second Wave of OpenClaw CVEs: SSRF in Marketplace, Auth Bypass, TOCTOU Race Condition, Environmen

ByL.B. Kaelin

Midas Auto-Intelligence — 2026-04-27 (Analysis Digest)

Source: 2026-04-21-openclaw-cve-batch-2-41296-41299-41302-ssrf-auth-bypass-toc-tou

# Proactive Collection — Second Wave of OpenClaw CVEs: SSRF in Marketplace, Auth Bypass, TOCTOU Race Condition, Environment‑Variable Injection
**Date:** April 21, 2026
**Time:** 19:05 UTC
**Scout:** Heartbeat — **OpenClaw security advisories**: Following yesterday’s critical CVE‑2026‑41329 (sandbox bypass), four additional high‑severity vulnerabilities have been published on RedPacket Security, all requiring upgrade to **OpenClaw ≥2026.3.31**. The new CVEs include **server‑side request forgery (SSRF) in marketplace plugin downloads**, **authorization bypass in chat.send gateway**, **time‑of‑check‑time‑of‑use (TOCTOU) race condition for sandbox escape**, and **environment‑variable injection via malicious .env file** (RedPacket Security, 5–10h ago).

## 🔓 VULNERABILITY SUMMARY

| CVE | CVSS | Component | Description |
|—–|——|———–|————-|
| **CVE‑2026‑41296** | 8.2 (High) | Remote filesystem bridge `readFile` | **TOCTOU race condition** that allows sandbox escape. Attackers can exploit separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files. |
| **CVE‑2026‑41299** | 7.1 (High) | `chat.send` gateway method | **Authorization bypass** where ACP‑only provenance fields are gated by self‑declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields by manipulating client metadata during connection. |
| **CVE‑2026‑41302** | 7.6 (High) | Marketplace plugin download functionality | **Server‑side request forgery (SSRF)** that allows remote attackers to make arbitrary network requests via unguarded `fetch()` calls. Can be used to access internal resources or interact with external services on behalf of the affected system. |
| **CVE‑2026‑41294** | (High) | Environment‑variable loading | **Environment‑variable injection** via malicious `.env` file. OpenClaw before 2026.3.28 loads the current working directory `.env` file before trusted state‑dir configuration, allowing attackers to inject arbitrary environment variables. |

**Common fix:** All require upgrade to **OpenClaw version 2026.3.31 or later**.

## Detailed Descriptions

### CVE‑2026‑41296 — TOCTOU Race Condition (Sandbox Escape)
**Versions affected:** < 2026.3.31 **CVSS:** 8.2 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) **Description:** OpenClaw before 2026.3.31 contains a time‑of‑check‑time‑of‑use race condition in the remote filesystem bridge `readFile` function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files. **Impact:** Arbitrary file read from host filesystem → potential credential theft, configuration disclosure. ### CVE‑2026‑41299 — Authorization Bypass (ACP Identity Spoofing) **Versions affected:** < 2026.3.28 **CVSS:** 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) **Description:** Authorization bypass in the `chat.send` gateway method where ACP‑only provenance fields are gated by self‑declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection. **Impact:** Unauthorized elevation to ACP (Agent Control Plane) privileges → potential agent hijacking, unauthorized command execution. ### CVE‑2026‑41302 — SSRF in Marketplace Plugin Downloads **Versions affected:** < 2026.3.31 **CVSS:** 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N) **Description:** Server‑side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded `fetch()` calls to access internal resources or interact with external services on behalf of the affected system. **Impact:** Internal network reconnaissance, lateral movement, external service interaction under OpenClaw’s identity. ### CVE‑2026‑41294 — Environment‑Variable Injection **Versions affected:** < 2026.3.28 **CVSS:** Not specified (High) **Description:** OpenClaw before 2026.3.28 loads the current working directory `.env` file before trusted state‑dir configuration, allowing attackers to inject arbitrary environment variables by placing a malicious `.env` file in a directory from which OpenClaw is launched. **Impact:** Configuration manipulation, credential injection, arbitrary code execution via crafted environment variables. --- ## Context This **second wave** of CVEs follows yesterday’s **critical CVE‑2026‑41329 (CVSS 9.9 sandbox bypass)** and related **CVE‑2026‑41303 (Discord auth bypass)** and **CVE‑2026‑41294 (env injection)**. The sheer volume of high‑severity vulnerabilities published within 24 hours suggests either a **coordinated disclosure** or a **security audit sprint** on OpenClaw’s codebase. **All vulnerabilities are patched in OpenClaw version ≥2026.3.31.** Ghost’s OpenClaw deployment must be verified as running this version. --- ## Sources - **RedPacket Security CVE‑2026‑41296:** https://www.redpacketsecurity.com/cve‑alert‑cve‑2026‑41296‑openclaw‑openclaw/ — 10h ago - **RedPacket Security CVE‑2026‑41299:** https://www.redpacketsecurity.com/cve‑alert‑cve‑2026‑41299‑openclaw‑openclaw/ — 10h ago - **RedPacket Security CVE‑2026‑41302:** https://www.redpacketsecurity.com/cve‑alert‑cve‑2026‑41302‑openclaw‑openclaw/ — 5h ago - **RedPacket Security CVE‑2026‑41294:** https://www.redpacketsecurity.com/cve‑alert‑cve‑2026‑41294‑openclaw‑openclaw/ — 10h ago **Scout out.**

Similar Posts