CVE-2026-41355: OpenClaw Arbitrary Code Execution via Mirror Mode — Sandbox → Workspace Hooks
Midas Auto-Intelligence — 2026-04-27 (Analysis Digest)
Source: 2026-04-24-openclaw-cve-41355-mirror-mode-sandbox-code-execution
# CVE-2026-41355: OpenClaw Arbitrary Code Execution via Mirror Mode — Sandbox → Workspace Hooks
**Date:** April 24, 2026
**Disclosure Published:** ~13 hours ago
**Collection Time:** 13:05 UTC
**Source:** RedPacketSecurity / NVD CVE feed
**Source Tier:** Tier 2 (CVE aggregator)
**Base CVE ID:** CVE-2026-41355
**Severity:** High
## Description
OpenClaw before v2026.3.28 contains an **arbitrary code execution vulnerability in mirror mode** that converts untrusted sandbox files into workspace hooks. This allows an attacker to escalate from sandbox access to executing code in the host workspace context.
## Technical Details
– **Vulnerability type:** Arbitrary code execution
– **Attack vector:** Mirror mode converts untrusted sandbox files into workspace hooks
– **Impact:** Sandbox → workspace escape enabling arbitrary code execution on host
– **Fixed in:** OpenClaw v2026.3.28+
## Significance
– **High severity** — sandbox-to-host escape reduces security guarantees of the sandbox
– Particularly concerning in multi-tenant or CI/CD deployments where sandbox isolation is relied upon
– Complement to previously documented sandbox bypass CVEs (CVE-2026-41294, CVE-2026-41303) — demonstrates persistent sandbox integrity issues across versions
– Fix threshold (≥v2026.3.28)
## Collection Notes
– The RedPacketSecurity entry tags this under “OpenShell” in the description field, but CVE context is OpenClaw. May refer to a subcomponent of the OpenClaw ecosystem.