Description
OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data.
Published: 2026-04-28
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Remote Directory Deletion via misconfigured mirror mode paths
Action: Apply Immediate Patch
AI Analysis

Impact

The flaw resides in OpenClaw’s mirror mode where an attacker can influence the configuration values remoteWorkspaceDir and remoteAgentWorkspaceDir. By supplying malicious values in the OpenShell config, the mirror sync operation can delete arbitrary remote directories and overwrite the contents with data from the attacker's local workspace. This leads to loss of remote data and potential data integrity compromise.

Affected Systems

Versions of OpenClaw earlier than 2026.4.2 are vulnerable. The issue is present in all deployments of the OpenClaw product that use the mirror mode feature, regardless of operating system, as long as remote configuration paths are not properly constrained.

Risk and Exploitability

The reported CVSS score of 6.1 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to gain the ability to modify the configuration for the target instance, which is typically possible if remote configuration management is exposed or if the attacker can upload configuration files. Once the configuration is altered, the deletion can occur during normal mirror sync operations without additional privileges.

Generated by OpenCVE AI on April 28, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.2 or later to remove the flawed mirror mode logic
  • If an upgrade is unavailable, disable mirror mode entirely or restrict its use to a protected interior network
  • Ensure that any remaining mirror mode configuration explicitly restricts remoteWorkspaceDir and remoteAgentWorkspaceDir to non-sensitive directories and validates input against a whitelist of acceptable paths

Generated by OpenCVE AI on April 28, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data.
Title OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-22
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:09:46.122Z

Reserved: 2026-04-20T14:12:09.519Z

Link: CVE-2026-41383

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:41.360

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses