← Back to CVEs
CVE-2026-26321
HIGH7.5
Description
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.
CVE Details
CVSS v3.1 Score7.5
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published2/19/2026
Last Modified2/20/2026
Sourcenvd
Honeypot Sightings0
Affected Products
openclaw:openclaw
Weaknesses (CWE)
CWE-22
References
https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d(security-advisories@github.com)
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14(security-advisories@github.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.