Detections
Analytics

CVE-2026-26321

high

Description

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r

https://github.com/openclaw/openclaw/releases/tag/v2026.2.14

https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d

Details

Source: Mitre, NVD

Published: 2026-02-19

Updated: 2026-02-20

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00055