Cyber Resilience

CVE-2026-41355

MediumPublic PoCUpdated

Published: 23 April 2026

Published
23 April 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 5.4 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41355 is a medium-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41355 is an arbitrary code execution vulnerability (CWE-829) in OpenShell versions prior to 2026.3.28. The flaw occurs in the mirror mode component, where untrusted sandbox files are improperly converted into workspace hooks, allowing exploitation during gateway startup. It carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access requirements.

An attacker with mirror mode access can exploit this vulnerability to execute arbitrary code on the host system. Exploitation requires local access, low privileges, low attack complexity, and user interaction, such as enabling workspace hooks. Successful exploitation during gateway startup provides high confidentiality, integrity, and availability impacts.

Advisories and the associated patch recommend upgrading to OpenShell 2026.3.28 or later to mitigate the issue. Relevant resources include the fixing commit at https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1, the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh, and the VulnCheck analysis at https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode-sandbox-file-conversion.

EU & UK References

Vulnerability details

OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The CVE describes a local arbitrary code execution vulnerability in OpenShell that is exploited with low privileges and user interaction during startup, directly enabling T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41336Same product: Openclaw Openclaw
CVE-2026-41295Same product: Openclaw Openclaw
CVE-2026-32920Same product: Openclaw Openclaw
CVE-2026-43571Same product: Openclaw Openclaw
CVE-2026-41396Same product: Openclaw Openclaw
CVE-2026-22217Same product: Openclaw Openclaw
CVE-2026-43569Same product: Openclaw Openclaw
CVE-2026-35641Same product: Openclaw Openclaw
CVE-2026-35643Same product: Openclaw Openclaw
CVE-2026-44995Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.28

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (upgrade to 2026.3.28+) that eliminates the sandbox-to-hook conversion flaw.

prevent

Enforces disabling or restricting the mirror-mode workspace-hooks feature so untrusted sandbox files cannot be converted into executable hooks.

prevent

Enforces access-control policy on mirror-mode activation and hook enablement, blocking the local attacker prerequisite stated in the CVE.

References