CVE-2026-26321
HIGH
GHSA-8jpq-5h99-ff5r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.
Analysis
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all OpenClaw installations with Feishu extension enabled and document current versions. Within 7 days: Upgrade all affected OpenClaw instances to version 2026.2.14 or later; disable the Feishu extension on systems that cannot be immediately patched. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today