CVE-2026-41911
Filesystem Policy Bypass in OpenClaw docx Upload Enables Local File Read
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41911 is a vulnerability in OpenClaw versions before 2026.4.8 that allows attackers to bypass the workspace-only filesystem policy during DOCX file uploads.
Specifically, the upload_file and upload_image endpoints can be exploited to read local files outside the intended workspace boundaries, due to improper permission assignment and insufficient pathname restrictions.
This means that an attacker with some level of local access can access files that should be protected within the workspace, violating the intended security controls.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized local file reads outside the designated workspace, potentially exposing sensitive or critical files on the system.
Since the confidentiality impact is high, attackers could gain access to private data that should be restricted, which could lead to information disclosure.
The attack requires low privileges and no user interaction, making it easier for an attacker with limited access to exploit.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.8 or later, where the issue has been fixed.
This update addresses the filesystem policy bypass vulnerability in the DOCX upload processing that allowed local file reads outside workspace boundaries.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized local file reads outside the intended workspace boundaries, potentially exposing sensitive or confidential data.
Such unauthorized access to local files could lead to violations of data protection regulations like GDPR or HIPAA if personal or protected health information is exposed.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the upload_file and upload_image endpoints in OpenClaw versions prior to 2026.4.8, which allow reading files outside the intended workspace boundaries via DOCX upload processing.
To detect exploitation attempts on your system or network, you should monitor and analyze requests to these endpoints for suspicious file path parameters that attempt to access files outside the workspace.
- Inspect web server logs or application logs for requests to upload_file or upload_image endpoints containing path traversal patterns such as '../' or absolute file paths.
- Use network monitoring tools or intrusion detection systems (IDS) to flag HTTP requests with suspicious payloads targeting these endpoints.
- Example command to search logs for suspicious path traversal attempts (assuming logs are in access.log):
- grep -E 'upload_file|upload_image' access.log | grep -E '\.\./|/etc/passwd|C:\\Windows'
- If you have access to the OpenClaw application environment, review recent uploads or file access logs for unexpected file reads outside the workspace.