EUVD-2026-12714
GHSA-vj3g-5px3-gr46
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4Tags
Description
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.
Analysis
OpenClaw contains a path traversal vulnerability in the Feishu media download functionality where untrusted media key values are directly interpolated into temporary file paths without sanitization. OpenClaw versions prior to 2026.2.19 are affected, allowing remote unauthenticated attackers to write arbitrary files within the process permissions by using directory traversal sequences in media keys. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running OpenClaw versions prior to 2026.2.19 and assess Feishu integration usage. Within 7 days: Apply vendor patch to upgrade to version 2026.2.19 or later across all affected instances, testing in non-production environments first. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today