diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected
new file mode 100644
index 000000000000..4794d4744af8
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.expected
@@ -0,0 +1 @@
+| test.cpp:21:3:21:8 | call to remove | The $@ being operated upon was previously $@, but the underlying file may have been changed since then. | test.cpp:21:10:21:14 | file1 | filename | test.cpp:19:7:19:12 | call to rename | checked |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref
new file mode 100644
index 000000000000..c7d2e9c45f4b
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/TOCTOUFilesystemRace.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
\ No newline at end of file
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test.cpp
new file mode 100644
index 000000000000..6433523d69a0
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test.cpp
@@ -0,0 +1,51 @@
+
+class String
+{
+public:
+	String(const char *_s);
+	void set(const char *_s);
+};
+
+void create(const String &filename);
+bool rename(const String &from, const String &to);
+void remove(const String &filename);
+
+void test1()
+{
+	String file1 = "a.txt";
+	String file2 = "b.txt";
+
+	create(file1);
+	if (!rename(file1, file2))
+	{
+		remove(file1); // BAD
+	}
+}
+
+
+void test2()
+{
+	String file1 = "a.txt";
+	String file2 = "b.txt";
+
+	create(file1);
+	if (!rename(file1, file2))
+	{
+		file1.set("d.txt");
+		remove(file1); // GOOD
+	}
+}
+
+
+void test3()
+{
+	String file1 = "a.txt";
+	String file2 = "b.txt";
+	file1.set("d.txt");
+
+	create(file1);
+	if (!rename(file1, file2))
+	{
+		remove(file1); // BAD [NOT DETECTED]
+	}
+}