CVE-2026-22171 | THREATINT

Description

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.

PUBLISHED Reserved 2026-01-06 | Published 2026-03-18 | Updated 2026-03-18 | Assigner VulnCheck

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

Any version before 2026.2.19

affected

Credits

Sean Nejad (@allsmog) reporter

References

github.com/...enclaw/security/advisories/GHSA-vj3g-5px3-gr46 (GitHub Security Advisory (GHSA-vj3g-5px3-gr46)) third-party-advisory

github.com/...ommit/c821099157a9767d4df208c6b12f214946507871 (Patch Commit #1) patch

github.com/...ommit/cdb00fe2428000e7a08f9b7848784a0049176705 (Patch Commit #2) patch

github.com/...ommit/ec232a9e2dff60f0e3d7e827a7c868db5254473f (Patch Commit #3) patch

www.vulncheck.com/...l-in-feishu-media-temporary-file-naming (VulnCheck Advisory: OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming) third-party-advisory

cve.org (CVE-2026-22171)

nvd.nist.gov (CVE-2026-22171)

Download JSON