CVE-2026-41363: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
(updated )
Feishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path.
References
- github.com/advisories/GHSA-qf48-qfv4-jjm9
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/764394c78b6c22c5b53c3cd132d27ff36340bf45
- github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9
- nvd.nist.gov/vuln/detail/CVE-2026-41363
- www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-feishu-upload-image-parameter
Code Behaviors & Features
Detect and mitigate CVE-2026-41363 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →