Path Traversal Vulnerability in OpenClaw by OpenClaw
CVE-2026-41363

6MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-41363?

OpenClaw versions 2026.2.6 to 2026.3.24 have a path traversal vulnerability in the Feishu extension’s resolveUploadInput function that allows attackers to bypass file-system sandbox restrictions. This vulnerability facilitates improper path resolution during image upload operations, enabling unauthorized access to read files outside the designated localRoots boundaries. It is essential for organizations utilizing OpenClaw to implement strict upload validation to mitigate the risk associated with this vulnerability.

Affected Version(s)

OpenClaw 2026.2.6

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://www.vulncheck.com/advisories/openclaw-arbitrary-f...

third-party-advisory

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

ADumpling

CVE-2026-41363 Data

JSON

Openclaw

What is CVE-2026-41363?

Affected Version(s)

References

CVSS V4

Timeline

Credit