CWE-367— Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.— MITRE CWE catalog
659 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-367page 13 of 14
- CVE-2026-41651HIGHCVSS 8.8EG 8.82026-04-22
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time…
- CVE-2026-41702HIGHCVSS 7.8EG 7.82026-05-15
VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to esc…
- CVE-2026-42306HIGHCVSS 7.2EG 7.22026-05-18
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious…
- CVE-2026-42336MEDIUMCVSS 5.1EG 5.12026-05-26
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation …
- CVE-2026-42344MEDIUMCVSS 6.3EG 6.32026-05-08
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU — Time-of-Check to Time-of-Use). The functi…
- CVE-2026-42592MEDIUMCVSS 5.3EG 5.32026-05-14
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addres…
- CVE-2026-43053MEDIUMCVSS 4.7EG 4.72026-05-01
In the Linux kernel, the following vulnerability has been resolved: xfs: close crash window in attr dabtree inactivation When inactivating an inode with node-format extended attributes, xfs_attr3_node_inactive() invalidates all child lea…
- CVE-2026-43420MEDIUMCVSS 4.7EG 4.72026-05-08
In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nl…
- CVE-2026-43433HIGHCVSS 7.8EG 7.82026-05-08
In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the valu…
- CVE-2026-43529LOWCVSS 2.5EG 2.52026-05-05
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-…
- CVE-2026-43582MEDIUMCVSS 6.3EG 6.32026-05-06
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname reso…
- CVE-2026-43619MEDIUMCVSS 6.3EG 6.32026-05-20
Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect …
- CVE-2026-43927MEDIUMCVSS 6.9EG 6.92026-07-06
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending…
- CVE-2026-44112CRITICALCVSS 9.6EG 9.62026-05-06
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during files…
- CVE-2026-44113HIGHCVSS 7.7EG 7.72026-05-06
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem ope…
- CVE-2026-44694CRITICALCVSS 9.1EG 9.12026-05-08
n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting …
- CVE-2026-45203NONECVSS 0.0EG 0.02026-07-10
Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory write outside the permitted range of memory for the host kernel. A TOCTOU bug existed where a malicious driver cou…
- CVE-2026-45208HIGHCVSS 7.8EG 7.82026-05-21
A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on th…
- CVE-2026-45487HIGHCVSS 7.8EG 7.82026-06-09
Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally.
- CVE-2026-45619MEDIUMCVSS 6.5EG 6.52026-05-15
WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS…
- CVE-2026-45647MEDIUMCVSS 5.5EG 5.52026-06-09
Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
- CVE-2026-45927MEDIUMCVSS 4.7EG 4.72026-05-27
In the Linux kernel, the following vulnerability has been resolved: bpf: Require frozen map for calculating map hash Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state. This …
- CVE-2026-46159MEDIUMCVSS 4.7EG 4.72026-05-28
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID…
- CVE-2026-46194CVSS 0.0EG 4.72026-05-28
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2f…
- CVE-2026-46227HIGHCVSS 7.8EG 7.82026-05-28
In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), whi…
- CVE-2026-4878HIGHCVSS 7.0EG 7.02026-04-09
A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file cap…
- CVE-2026-48931LOWCVSS 3.7EG 3.72026-06-22
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26*…
- CVE-2026-48983MEDIUMCVSS 5.8EG 5.82026-06-18
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, a symlink race condition exists in per-device and per-user pad directory creation. pam_usb uses a check-then-act pattern: it cal…
- CVE-2026-49958MEDIUMCVSS 5.0EG 5.02026-06-09
Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace …
- CVE-2026-50631HIGHCVSS 7.4EG 7.42026-06-12
A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh t…
- CVE-2026-52885MEDIUMCVSS 6.3EG 6.32026-06-26
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the command payload is taken from the in-me…
- CVE-2026-52991HIGHCVSS 7.8EG 7.82026-06-24
In the Linux kernel, the following vulnerability has been resolved: sched/psi: fix race between file release and pressure write A potential race condition exists between pressure write and cgroup file release regarding the priv member of…
- CVE-2026-53145HIGHCVSS 7.8EG 7.82026-06-25
In the Linux kernel, the following vulnerability has been resolved: drm/gem: Try to fix change_handle ioctl, attempt 4 [airlied: just added some comments on how to reenable] On-list because the cat is out of the bag and we're clearly not…
- CVE-2026-53250HIGHCVSS 7.8EG 7.82026-06-25
In the Linux kernel, the following vulnerability has been resolved: xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by…
- CVE-2026-53806HIGHCVSS 8.8EG 8.82026-06-11
OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content w…
- CVE-2026-53822HIGHCVSS 8.8EG 8.82026-06-12
OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist approval to execute unapproved command shape…
- CVE-2026-53831HIGHCVSS 8.1EG 8.32026-06-12
OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metach…
- CVE-2026-53838CRITICALCVSS 9.8EG 9.82026-06-12
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node author…
- CVE-2026-53945MEDIUMCVSS 4.0EG 4.02026-06-24
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on intern…
- CVE-2026-54055MEDIUMCVSS 5.0EG 5.02026-06-12
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files o…
- CVE-2026-54228HIGHCVSS 7.8EG 7.82026-06-13
A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text f…
- CVE-2026-54327LOWCVSS 2.2EG 2.22026-06-17
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the p…
- CVE-2026-54353HIGHCVSS 7.1EG 7.12026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist b…
- CVE-2026-54370MEDIUMCVSS 6.3EG 6.32026-06-29
acl before version 2.4.0 contains a time-of-check to time-of-use (TOCTOU) race condition vulnerability that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link between an lstat() check and s…
- CVE-2026-54777MEDIUMCVSS 6.5EG 6.52026-06-19
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF NetNamedPipe transport accepts attachment to a pre-existing named pipe instance, allowing local interception of…
- CVE-2026-55950MEDIUMCVSS 5.9EG 5.92026-07-02
Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener. A DTLS server listener uses a single s…
- CVE-2026-56676HIGHCVSS 7.4EG 7.42026-07-10
9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution.…
- CVE-2026-57959MEDIUMCVSS 5.9EG 5.92026-06-29
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. At…
- CVE-2026-58198MEDIUMCVSS 5.5EG 5.52026-07-09
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract() uses a predictable home-rooted output directory (~/ubuntu_data/ubuntu_dialogs) with a check-then-create p…
- CVE-2026-58299HIGHCVSS 7.5EG 7.52026-07-03
Time-of-check time-of-use (toctou) race condition in Microsoft Edge for Android allows an unauthorized attacker to execute code over a network.
Map vulnerabilities like CWE-367 to your infrastructure
EchelonGraph correlates every CVE — across CWE-367 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →