{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41383/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41383"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41383","directory-traversal","file-deletion","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker\u0026rsquo;s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the OpenClaw configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and/or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e configuration values to point to a target directory they wish to delete.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a mirror sync operation.\u003c/li\u003e\n\u003cli\u003eOpenClaw, using the attacker-controlled path, connects to the remote system.\u003c/li\u003e\n\u003cli\u003eOpenClaw deletes the contents of the directory specified by the modified \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOpenClaw uploads the contents of the attacker\u0026rsquo;s local workspace to the now-empty remote directory, effectively replacing the original data.\u003c/li\u003e\n\u003cli\u003eThe targeted remote directory now contains the attacker\u0026rsquo;s data instead of the original contents.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw configuration files for unauthorized modifications to \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e using a file integrity monitoring system.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-directory-deletion/","summary":"OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.","title":"OpenClaw Arbitrary Directory Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41383","version":"https://jsonfeed.org/version/1.1"}