TimelockController vulnerability in OpenZeppelin Contracts
Description
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role from accounts not strictly under the team's control. We recommend revoking all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin TimelockController vulnerability (CVE-2021-39167) allows executor role holder to escalate privileges. Fixed in version 4.3.1; workaround: revoke executor role from untrusted accounts.
Vulnerability
Affected versions of OpenZeppelin Contracts (before 4.3.1) contain a vulnerability in the TimelockController contract that allows an actor with the EXECUTOR_ROLE to escalate privileges. The bug is in the execute and executeBatch functions, which call _beforeCall without verifying that the operation is in the ready state, enabling bypass of the timelock delay. This is fixed by adding an isOperationReady check in _beforeCall [4].
Exploitation
An attacker who holds the EXECUTOR_ROLE (e.g., a malicious executor) can call execute or executeBatch directly, skipping the timelock delay. The _beforeCall function previously only checked the predecessor, not the operation readiness. The attacker can thus execute operations that have not been scheduled or after cancellation, effectively gaining control of the timelocked actions [2].
Impact
Successful exploitation leads to privilege escalation within the TimelockController; an executor can perform actions that should require proposer or admin privileges, potentially taking over the contract's governance. The confidentiality, integrity, and availability of the system can be compromised as the attacker can execute arbitrary operations approved by the timelock [2].
Mitigation
The issue is fixed in OpenZeppelin Contracts version 4.3.1. Users should upgrade to this version or later. If immediate upgrade is not possible, revoke the EXECUTOR_ROLE from accounts not strictly under your control, ensuring there is at least one proposer and executor remaining [2]. No other workarounds are disclosed.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.0.0, < 4.3.1 | 4.3.1 |
@openzeppelin/contractsnpm | >= 3.3.0, < 3.4.2 | 3.4.2 |
Affected products
2- OpenZeppelin/openzeppelin-contractsv5Range: >=4.0.0, < 4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-fg47-3c2x-m2wrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39167ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/cec4f2ef57495d8b1742d62846da212515d99dd5ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-fg47-3c2x-m2wrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.