CVE-2026-41383
Published: 28 April 2026
Summary
CVE-2026-41383 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal (CWE-22) by validating influenced configuration values like remoteWorkspaceDir and remoteAgentWorkspaceDir to prevent arbitrary remote directory deletion during mirror sync.
Ensures timely flaw remediation through patching to OpenClaw 2026.4.2 or later, eliminating the vulnerability in mirror mode configuration handling.
Restricts access to configuration changes for critical paths like remoteWorkspaceDir, preventing low-privilege (PR:L) attackers from manipulating mirror sync operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary remote directory deletion and overwriting of contents with attacker-controlled data, directly mapping to data destruction for availability impact and stored data manipulation.
NVD Description
OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete…
more
unintended remote directory contents and replace them with uploaded workspace data.
Deeper analysisAI
CVE-2026-41383 is an arbitrary directory deletion vulnerability (CWE-22) affecting OpenClaw versions prior to 2026.4.2. The issue resides in the mirror mode feature, where attackers can influence the remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values within OpenShell config paths. This manipulation causes mirror sync operations to delete unintended contents from remote directories and replace them with uploaded workspace data. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to significant integrity and availability impacts.
Attackers require low privileges (PR:L), such as those of an authenticated user with access to influence the specified configuration values over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows arbitrary deletion of remote directories, enabling attackers to disrupt services by removing critical files and overwriting them with malicious workspace data, potentially leading to denial of service or further compromise.
Mitigation involves upgrading to OpenClaw version 2026.4.2 or later, as detailed in the patching commit at https://github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25. Additional guidance is available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x and the Vulncheck advisory at https://www.vulncheck.com/advisories/openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths.
Details
- CWE(s)