CVE-2026-26321 – OpenClaw's Feishu extension had a path traversa... (How to Fix)

Q: What is the severity of CVE-2026-26321?

CVE-2026-26321 has a CVSS score of 7.5 (HIGH). OpenClaw's Feishu extension had a path traversal vulnerability that allowed reading arbitrary local files by supplying attacker-controlled paths. This affects OpenClaw installations with the Feishu extension enabled prior to version 2026.2.14. Attackers could exfiltrate sensitive system files through prompt injection or direct tool call manipulation.

📋 TL;DR

OpenClaw's Feishu extension had a path traversal vulnerability that allowed reading arbitrary local files by supplying attacker-controlled paths. This affects OpenClaw installations with the Feishu extension enabled prior to version 2026.2.14. Attackers could exfiltrate sensitive system files through prompt injection or direct tool call manipulation.

💻 Affected Systems

Products:

OpenClaw with Feishu extension

Versions: All versions prior to 2026.2.14

Operating Systems: All operating systems running OpenClaw

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Feishu extension to be enabled and accessible to attackers through tool calls.

📦 What is this software?

Openclaw by Openclaw

View all CVEs affecting Openclaw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via reading sensitive files like SSH keys, configuration files, and credentials, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Exfiltration of sensitive local files including configuration files, credentials, and user data stored on the system.

🟢

If Mitigated

Limited impact with proper input validation and file access restrictions in place.

🌐 Internet-Facing: MEDIUM - Requires attacker to influence tool calls, which could be achieved through prompt injection in internet-facing deployments.

🏢 Internal Only: HIGH - Internal users with access to OpenClaw could exploit this to read sensitive system files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to influence tool calls, which could be achieved through prompt injection or direct API access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2.14

Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r

Restart Required: Yes

Instructions:

1. Backup your OpenClaw configuration and data. 2. Stop OpenClaw service. 3. Update to version 2026.2.14 or newer using your package manager or from GitHub releases. 4. Restart OpenClaw service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Feishu extension

all

Temporarily disable the vulnerable Feishu extension until patching is possible.

Edit OpenClaw configuration to remove or comment out Feishu extension settings
Restart OpenClaw service

Implement input validation

all

Add input validation to reject local file paths in mediaUrl parameter.

Implement regex validation to block paths starting with /, ../, or containing file:// scheme

🧯 If You Can't Patch

Disable the Feishu extension completely
Implement network segmentation to isolate OpenClaw from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check OpenClaw version and verify if Feishu extension is enabled in configuration.

Check Version:

openclaw --version or check package manager for installed version

Verify Fix Applied:

After updating, test that supplying local file paths to mediaUrl parameter returns error or is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in system logs
OpenClaw logs showing file read operations with suspicious paths

Network Indicators:

Unexpected outbound data transfers from OpenClaw system

SIEM Query:

source="openclaw" AND (path="*passwd*" OR path="*shadow*" OR path="*ssh*" OR path="*config*" OR path="*secret*")

📊 Metadata

CVE ID: CVE-2026-26321

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: February 19, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product,Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26321, you might also want to check these: