Home

Description

OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-28 | Updated 2026-04-28 | Assigner VulnCheck




MEDIUM: 6.1CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 2026.4.2
affected

2026.4.2 (semver)
unaffected

Credits

jufeng123768 reporter

References

github.com/...enclaw/security/advisories/GHSA-m34q-h93w-vg5x (GitHub Security Advisory (GHSA-m34q-h93w-vg5x)) vendor-advisory

github.com/...ommit/b21c9840c2e38f4bb338d031511b479d5f07ca25 (Patch Commit) patch

www.vulncheck.com/...letion-via-mis-scoped-mirror-mode-paths (VulnCheck Advisory: OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths) third-party-advisory

cve.org (CVE-2026-41383)

nvd.nist.gov (CVE-2026-41383)

Download JSON