CVE-2026-41383: OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped

April 7, 2026 (updated April 28, 2026)

Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute remoteWorkspaceDir and remoteAgentWorkspaceDir values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations.

References

github.com/advisories/GHSA-m34q-h93w-vg5x
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/b21c9840c2e38f4bb338d031511b479d5f07ca25
github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x
nvd.nist.gov/vuln/detail/CVE-2026-41383

Code Behaviors & Features

Detect and mitigate CVE-2026-41383 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →