CWE-367— Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.— MITRE CWE catalog
659 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-367page 12 of 14
- CVE-2026-2638HIGHCVSS 7.3EG 7.32026-06-09
A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.
- CVE-2026-27456MEDIUMCVSS 4.7EG 4.72026-04-03
util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop…
- CVE-2026-27545MEDIUMCVSS 6.1EG 6.12026-03-18
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current worki…
- CVE-2026-27670MEDIUMCVSS 5.3EG 5.32026-03-19
OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race betw…
- CVE-2026-27929HIGHCVSS 7.0EG 7.02026-04-14
Time-of-check time-of-use (toctou) race condition in Windows LUAFV allows an authorized attacker to elevate privileges locally.
- CVE-2026-29518HIGHCVSS 7.0EG 7.02026-05-20
Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with sym…
- CVE-2026-30332HIGHCVSS 7.5EG 7.52026-04-02
A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload d…
- CVE-2026-31523MEDIUMCVSS 4.7EG 4.72026-04-22
In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to p…
- CVE-2026-31535MEDIUMCVSS 4.7EG 4.72026-04-24
In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's b…
- CVE-2026-31678HIGHCVSS 7.8EG 7.82026-04-25
In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev referenc…
- CVE-2026-31997MEDIUMCVSS 6.0EG 6.02026-03-19
OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute …
- CVE-2026-32043MEDIUMCVSS 6.5EG 6.52026-03-21
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a sy…
- CVE-2026-32093HIGHCVSS 7.0EG 7.02026-04-14
Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
- CVE-2026-32602MEDIUMCVSS 4.2EG 4.22026-04-06
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The re…
- CVE-2026-32921MEDIUMCVSS 6.3EG 6.32026-03-31
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved scri…
- CVE-2026-32977MEDIUMCVSS 6.3EG 6.32026-03-31
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use r…
- CVE-2026-32979HIGHCVSS 7.3EG 7.32026-03-29
OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change…
- CVE-2026-32988HIGHCVSS 7.5EG 7.52026-03-31
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in par…
- CVE-2026-33574MEDIUMCVSS 6.2EG 6.22026-03-29
OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind …
- CVE-2026-33659LOWCVSS 3.5EG 3.52026-04-13
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) conditi…
- CVE-2026-3428MEDIUMCVSS 5.4EG 5.42026-04-16
A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TO…
- CVE-2026-34354HIGHCVSS 7.4EG 7.42026-05-08
Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC contr…
- CVE-2026-34596HIGHCVSS 7.0EG 7.02026-05-05
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through t…
- CVE-2026-35202LOWCVSS 2.3EG 2.32026-05-26
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database …
- CVE-2026-35345MEDIUMCVSS 5.3EG 5.32026-04-22
A vulnerability in the tail utility of uutils coreutils allows for the exfiltration of sensitive file contents when using the --follow=name option. Unlike GNU tail, the uutils implementation continues to monitor a path after it has been re…
- CVE-2026-35352HIGHCVSS 7.0EG 7.02026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent d…
- CVE-2026-35353LOWCVSS 3.3EG 3.32026-04-22
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions (typically 0755) before subsequently changing them to the requested mode via a separate chm…
- CVE-2026-35354MEDIUMCVSS 4.7EG 4.72026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute (xattr) preservation logic uses multiple path-based system calls that perform fresh path-t…
- CVE-2026-35355MEDIUMCVSS 6.3EG 6.32026-04-22
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based oper…
- CVE-2026-35356MEDIUMCVSS 6.3EG 6.32026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target …
- CVE-2026-35357MEDIUMCVSS 4.7EG 4.72026-04-22
The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) late…
- CVE-2026-35359MEDIUMCVSS 4.7EG 4.72026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequent…
- CVE-2026-35360MEDIUMCVSS 6.3EG 6.32026-04-22
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internal…
- CVE-2026-35362LOWCVSS 3.6EG 3.62026-04-22
The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use (TOCTOU) symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like syste…
- CVE-2026-35364MEDIUMCVSS 6.3EG 6.32026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker wi…
- CVE-2026-35374MEDIUMCVSS 6.3EG 6.32026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiati…
- CVE-2026-35376MEDIUMCVSS 4.5EG 4.52026-04-22
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup (via fts_accpath) rather than bindin…
- CVE-2026-35418HIGHCVSS 7.8EG 7.82026-05-12
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
- CVE-2026-35648LOWCVSS 3.7EG 3.72026-04-10
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tighte…
- CVE-2026-3590MEDIUMCVSS 6.5EG 6.52026-04-15
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish…
- CVE-2026-37531CRITICALCVSS 9.8EG 9.82026-05-01
AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP ent…
- CVE-2026-40896MEDIUMCVSS 6.5EG 6.52026-04-20
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — eve…
- CVE-2026-41002HIGHCVSS 7.2EG 7.22026-05-07
The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 …
- CVE-2026-41045HIGHCVSS 7.0EG 8.12026-06-22
A time-to-check-time-of-use in polkit authentication of qSnapper before version 1.3.3 allowed a local attacker to bypass qSnappers authentication mechanism and operate e.g. as root user.
- CVE-2026-41051MEDIUMCVSS 5.0EG 5.02026-05-13
csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories.
- CVE-2026-41296HIGHCVSS 8.2EG 8.22026-04-21
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypa…
- CVE-2026-41337MEDIUMCVSS 5.3EG 5.32026-04-23
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live cal…
- CVE-2026-41338MEDIUMCVSS 5.0EG 5.02026-04-23
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir oper…
- CVE-2026-41360MEDIUMCVSS 6.7EG 6.72026-04-23
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidatin…
- CVE-2026-41568MEDIUMCVSS 6.1EG 6.12026-05-18
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious…
Map vulnerabilities like CWE-367 to your infrastructure
EchelonGraph correlates every CVE — across CWE-367 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →