CVE-2026-41363

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.6 through 2026.3.24

Description A path traversal issue exists in the Feishu extension resolveUploadInput() function. This flaw allows attackers to bypass file-system sandbox restrictions by exploiting improper path resolution during upload image operations, enabling the reading of arbitrary files outside the configured localRoots boundaries. Path traversal is a technique where an attacker uses special characters to access files and directories that are stored outside the intended folder.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.