CVE-2026-41363

· NIST NVD ↗

OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload_image operations to read arbitrary files outside configured localRoots boundaries.

MEDIUM

CVSS severity

5.3

CVSS base score

2026-04-28

Published

CWE codes

CWE-22

Affected products

openclaw:openclaw

Sources

NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41363