📄 Description (English)
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.
🤖 AI Executive Summary
CVE-2026-41355 is a high-severity arbitrary code execution vulnerability in OpenShell's mirror mode that allows attackers to execute arbitrary code on the host system during gateway startup by exploiting workspace hooks. The vulnerability affects versions before 2026.3.28 and requires mirror mode access. With no patch currently available and no public exploits, organizations should immediately implement compensating controls and monitor for exploitation attempts.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 6, 2026 04:19
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies, financial institutions, and critical infrastructure operators that utilize OpenShell for gateway management and sandbox operations. Banking sector (SAMA-regulated entities) and government networks (NCA oversight) are particularly vulnerable if OpenShell is deployed in their infrastructure. Telecommunications providers (STC, Mobily) and energy sector organizations (ARAMCO, SEC) managing critical systems through OpenShell gateways face potential operational disruption and data compromise. The arbitrary code execution capability could enable lateral movement within sensitive networks.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Telecommunications
Energy and Utilities
Healthcare
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OpenShell deployments in your environment, particularly those running versions before 2026.3.28
2. Disable mirror mode functionality immediately if not operationally critical
3. Restrict mirror mode access to only trusted, authenticated users with multi-factor authentication
4. Implement network segmentation to isolate OpenShell gateway systems from critical infrastructure
COMPENSATING CONTROLS:
5. Monitor workspace hook creation and modification events in real-time
6. Implement file integrity monitoring (FIM) on workspace hook directories
7. Disable automatic workspace hook execution during gateway startup; require manual approval
8. Implement strict input validation and sandboxing for any files processed in mirror mode
9. Deploy application whitelisting to prevent unauthorized code execution
DETECTION RULES:
10. Alert on any modifications to workspace hook files or configurations
11. Monitor for suspicious process execution originating from OpenShell gateway processes
12. Track failed and successful mirror mode authentication attempts
13. Monitor for unexpected child processes spawned during gateway startup
PATCHING:
14. Subscribe to OpenShell security advisories and upgrade to version 2026.3.28 or later immediately upon release
15. Maintain an inventory of all OpenShell instances for rapid patching deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات OpenShell في بيئتك، خاصة تلك التي تعمل بإصدارات سابقة للإصدار 2026.3.28
2. عطّل وظيفة وضع المرآة فوراً إذا لم تكن حرجة من الناحية التشغيلية
3. قيّد الوصول إلى وضع المرآة للمستخدمين الموثوقين والمصرح لهم فقط مع المصادقة متعددة العوامل
4. نفّذ تقسيم الشبكة لعزل أنظمة بوابة OpenShell عن البنية التحتية الحرجة
الضوابط التعويضية:
5. راقب إنشاء وتعديل خطافات مساحة العمل في الوقت الفعلي
6. نفّذ مراقبة سلامة الملفات (FIM) على دلائل خطافات مساحة العمل
7. عطّل تنفيذ خطافات مساحة العمل التلقائي أثناء بدء البوابة؛ اطلب الموافقة اليدوية
8. نفّذ التحقق الصارم من المدخلات والحماية الرملية لأي ملفات تتم معالجتها في وضع المرآة
9. نشّر القائمة البيضاء للتطبيقات لمنع تنفيذ الكود غير المصرح به
قواعد الكشف:
10. أصدر تنبيهات عند أي تعديلات على ملفات أو تكوينات خطافات مساحة العمل
11. راقب تنفيذ العمليات المريبة الناشئة من عمليات بوابة OpenShell
12. تتبع محاولات المصادقة الفاشلة والناجحة في وضع المرآة
13. راقب العمليات الفرعية غير المتوقعة التي يتم إطلاقها أثناء بدء البوابة
التصحيح:
14. اشترك في تنبيهات أمان OpenShell وقم بالترقية إلى الإصدار 2026.3.28 أو أحدث فوراً عند الإصدار
15. احتفظ بجرد لجميع مثيلات OpenShell لنشر التصحيح السريع
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Monitoring and logging of access to information
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and inventory
SAMA CSF PR.AC-1 - Access control and authentication
SAMA CSF DE.CM-1 - Detection and monitoring
SAMA CSF RS.MI-1 - Incident response and mitigation
🟡 ISO 27001:2022
ISO 27001:2022 A.12.2.1 - Monitoring and logging
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Secure development policy
ISO 27001:2022 A.8.1.1 - User endpoint devices
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 10.2 - Logging and monitoring
PCI DSS 12.2 - Configuration standards
🔗 References & Sources 3
🔗
🔗
🔗
https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-42mx-vp8m-j7qh
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openshell-arbitrary-code-execution-via-mirror-mode...
disclosure@vulncheck.com