Medium severity5.3NVD Advisory· Published Apr 28, 2026· Updated Apr 28, 2026
CVE-2026-41363
CVE-2026-41363
Description
OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload_image operations to read arbitrary files outside configured localRoots boundaries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | >= 2026.2.6, < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-qf48-qfv4-jjm9ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-qf48-qfv4-jjm9nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41363ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-feishu-upload-image-parameternvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/commit/764394c78b6c22c5b53c3cd132d27ff36340bf45ghsaWEB
News mentions
0No linked articles in our index yet.