Executive Summary

CVE-2026-41911 is a vulnerability in OpenClaw versions before 2026.4.8 that allows attackers to bypass the workspace-only filesystem policy during DOCX file uploads.

Specifically, the upload_file and upload_image endpoints can be exploited to read local files outside the intended workspace boundaries, due to improper permission assignment and insufficient pathname restrictions.

This means that an attacker with some level of local access can access files that should be protected within the workspace, violating the intended security controls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized local file reads outside the designated workspace, potentially exposing sensitive or critical files on the system.

Since the confidentiality impact is high, attackers could gain access to private data that should be restricted, which could lead to information disclosure.

The attack requires low privileges and no user interaction, making it easier for an attacker with limited access to exploit.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.8 or later, where the issue has been fixed.

This update addresses the filesystem policy bypass vulnerability in the DOCX upload processing that allowed local file reads outside workspace boundaries.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized local file reads outside the intended workspace boundaries, potentially exposing sensitive or confidential data.

Such unauthorized access to local files could lead to violations of data protection regulations like GDPR or HIPAA if personal or protected health information is exposed.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the upload_file and upload_image endpoints in OpenClaw versions prior to 2026.4.8, which allow reading files outside the intended workspace boundaries via DOCX upload processing.

To detect exploitation attempts on your system or network, you should monitor and analyze requests to these endpoints for suspicious file path parameters that attempt to access files outside the workspace.

• Inspect web server logs or application logs for requests to upload_file or upload_image endpoints containing path traversal patterns such as '../' or absolute file paths.
• Use network monitoring tools or intrusion detection systems (IDS) to flag HTTP requests with suspicious payloads targeting these endpoints.
• Example command to search logs for suspicious path traversal attempts (assuming logs are in access.log):
• grep -E 'upload_file|upload_image' access.log | grep -E '\.\./|/etc/passwd|C:\\Windows'
• If you have access to the OpenClaw application environment, review recent uploads or file access logs for unexpected file reads outside the workspace.

Useful 0 Not Useful 0