CVE-2026-26321

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.

Vulnerability Details

Published Date

February 17, 2026

Last Modified

February 20, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

npm

Product

openclaw

External References

https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r
https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
https://github.com/advisories/GHSA-8jpq-5h99-ff5r

CVE-2026-26321

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment