CVE-2026-41383:
CVE-2026-41383 is an arbitrary directory deletion vulnerability in OpenClaw before version 2026.4.2 that allows authenticated attackers to delete and overwrite unintended remote directories via manipulated mirror mode configuration paths.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:Apr 28, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.2
- Confidentiality Impact:NONE
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-41383 is an arbitrary directory deletion vulnerability in OpenClaw before version 2026.4.2 that allows authenticated attackers to delete and overwrite unintended remote directories via manipulated mirror mode configuration paths.
Overview
CVE-2026-41383 affects OpenClaw versions prior to 2026.4.2 and stems from insufficient validation of remote directory path configuration values used during mirror mode synchronization operations. An attacker who can influence the `remoteWorkspaceDir` or `remoteAgentWorkspaceDir` configuration values can redirect mirror sync operations to target arbitrary remote directories. The mirror sync process deletes the targeted directory's contents before uploading workspace data, making this an effective mechanism for both destructive deletion and unauthorized data replacement on remote systems. This is classified as a path traversal issue under CWE-22, with no confidentiality impact but high integrity and availability impact to the vulnerable system.
Remediation
- Users and administrators should upgrade OpenClaw to version 2026.4.2 or later, which contains the patch addressing this vulnerability as referenced in commit `b21c9840c2e38f4bb338d031511b479d5f07ca25`. Until an upgrade can be applied, organizations should restrict access to mirror mode configuration settings and audit existing `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values to ensure they point to expected directories. Access controls should be enforced to limit which users can modify OpenShell configuration paths, and network-level controls should be considered to limit exposure of the affected service.
References
- - [GitHub Commit: Fix for CVE-2026-41383](https://github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25)
- - [GitHub Security Advisory GHSA-m34q-h93w-vg5x](https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x)
- - [VulnCheck Advisory: OpenClaw Arbitrary Remote Directory Deletion via Mis-Scoped Mirror Mode Paths](https://www.vulncheck.com/advisories/openclaw-arbitrary-remote-directory-deletion-via-mis-scoped-mirror-mode-paths)
- - [NVD Entry: CVE-2026-41383](https://nvd.nist.gov/vuln/detail/CVE-2026-41383)
- - [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
