OpenShell Mirror Mode Allows Arbitrary Code Execution

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-829
OpenShell Mirror Mode Allows Arbitrary Code Execution

The National Vulnerability Database has identified CVE-2026-41355 in OpenShell versions prior to 2026.3.28. This vulnerability, rated HIGH (CVSS 7.3), allows for arbitrary code execution within the mirror mode functionality. Specifically, untrusted sandbox files can be converted into workspace hooks.

Attackers with existing mirror mode access can exploit this by leveraging enabled workspace hooks. This enables them to execute arbitrary code directly on the host system during gateway startup. The vulnerability is categorized under CWE-829, indicating an improper neutralization of absolute path in a tarball entry.

For defenders, this is a critical remote code execution vector. The attacker’s calculus here is clear: gain initial access, then use this flaw to escalate privileges or establish persistence. It’s a low-complexity attack requiring only basic user privileges and user interaction, making it highly attractive for adversaries.

What This Means For You

  • If your organization utilizes OpenShell, you need to immediately identify all instances running versions prior to 2026.3.28. Prioritize patching to the latest secure version. Furthermore, audit your systems for any enabled workspace hooks or unusual activity in mirror mode, as this could indicate a compromise or attempted exploitation.
🛡️ Am I exposed to this? Get detection rules for CVE-2026-41355 — Splunk, Sentinel, Elastic, QRadar & more

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-41355: OpenShell Mirror Mode Arbitrary Code Execution via Workspace Hook

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41355 RCE OpenShell before 2026.3.28
CVE-2026-41355 RCE arbitrary code execution in mirror mode
CVE-2026-41355 RCE converts untrusted sandbox files into workspace hooks
CVE-2026-41355 RCE exploitation of enabled workspace hooks during gateway startup

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 24, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6732 — Libxml2 Denial of Service

CVE-2026-6732 — A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-843
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

OpenClaw: High-Severity Access Control Bypass Looms

CVE-2026-41353 — OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile...

vulnerabilityCVEhigh-severitycwe-472
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma

OpenClaw RCE: Paired Nodes Bypass Auth, Allow Arbitrary Commands

CVE-2026-41352 — OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with...

vulnerabilityCVEhigh-severityremote-code-executioncwe-862
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma