Inclusion of Functionality from Untrusted Control Sphere in OpenClaw - CVE-2026-41355
Published: May 1, 2026
Vulnerability identifier: #VU128740
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41355
CWE-ID: CWE-829
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the host.
The vulnerability exists due to inclusion of functionality from an untrusted control sphere in OpenShell mirror mode workspace hooks when synchronizing untrusted sandbox files during gateway startup. A remote user can place crafted files in the sandbox so they are converted into explicitly enabled workspace hooks to execute arbitrary code on the host.
Exploitation requires mirror mode, hooks enabled, explicit hook opt-in, and a gateway restart.
How to mitigate CVE-2026-41355
Install security update from vendor's website.