Filesystem Policy Bypass Vulnerability in OpenClaw by OpenClaw
CVE-2026-41911

6MEDIUM

Key Information:

Vendor

Openclaw

Status
Openclaw
Vendor
CVE Published:
28 April 2026

What is CVE-2026-41911?

OpenClaw versions before 2026.4.8 are vulnerable to a filesystem policy bypass through improper handling of docx uploads. This flaw allows malicious actors to exploit the upload_file and upload_image endpoints, gaining unauthorized access to files beyond designated workspace boundaries. Consequently, attackers can conduct local file reads, which potentially expose sensitive information and compromise system integrity. Users are advised to update to the latest version to mitigate this risk.

Affected Version(s)

OpenClaw 0 < 2026.4.8

OpenClaw 2026.4.8

References

https://github.com/openclaw/openclaw/security/advisories/...
vendor-advisory
https://github.com/openclaw/openclaw/commit/d7c3210cd6f5f...
patch
https://www.vulncheck.com/advisories/openclaw-workspace-o...
third-party-advisory

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.