CVE-2026-22171 HIGH

CVE-2026-22171: OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming

Vendor Openclaw
Product OpenClaw
Weakness CWE-22 · Path traversal
Published March 18, 2026
Last update March 18, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.

Key dates

02Disclosure timeline

March 18, 2026 CVE published
March 18, 2026 Record updated