Home / Vulnerability Intelligence / CVE-2026-41296

CVE-2026-41296 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: April 21, 2026

OpenClaw - Sandbox Escape & Arbitrary File Read

Published: April 21, 2026Updated: April 21, 2026Remote Exploitable

Overview

OpenClaw < 2026.3.31 contains a race condition caused by separate path validation and file read operations in the remote filesystem bridge readFile function, letting attackers escape sandbox and read arbitrary files, exploit requires no special privileges.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can escape sandbox restrictions and read arbitrary files, potentially exposing sensitive data.

Mitigation

Update to version 2026.3.31 or later.

References

https://github.com/openclaw/openclaw/commit/121870a08583033ed6a0ed73d9ffea32991252bb
https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg
https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-toctou-race-in-remote-fs-bridge-readfile

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41296
Severity: High
CVSS Score: 8.2
Type: race_condition
Status: new

CWE

CWE-367

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N