CVE-2026-41397
critical
CVSS v3
9.6
CVSS v2
—
VIR risk
9.6
Description
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
Predictions
Exploit likelihood
96%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: disclosure@vulncheck.com — https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2
Vendor advisory: disclosure@vulncheck.com — https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1
Vendor advisory: disclosure@vulncheck.com — https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| openclaw | openclaw | {"endExcluding":"2026.3.31"} | 2026.3.31 |
References
- https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320
- https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2
- https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-unrestricted-file-sync-and-symlink-traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-41397
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.31
- https://github.com/advisories/GHSA-cwf8-44x6-32c2
CWEs
CWE-59
Verify integrity in audit chain (admin only). AS-IS.