CVE-2026-22171

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871	Patch
https://github.com/openclaw/openclaw/commit/cdb00fe2428000e7a08f9b7848784a0049176705	Patch
https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46	Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-path-traversal-in-feishu-media-temporary-file-naming	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-18 02:16

Updated : 2026-03-19 14:52

NVD link : CVE-2026-22171

Mitre link : CVE-2026-22171

CVE.ORG link : CVE-2026-22171

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-22171", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T02:16:21.310", "references": [{"url": "https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/openclaw/openclaw/commit/cdb00fe2428000e7a08f9b7848784a0049176705", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46", "tags": ["Mitigation", "Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-feishu-media-temporary-file-naming", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a 2026.2.19 contienen una vulnerabilidad de salto de ruta en el flujo de descarga de medios de Feishu donde las claves de medios no confiables se interpolan directamente en las rutas de archivos temporales en extensions/feishu/src/media.ts. Un atacante que puede controlar los valores de las claves de medios de Feishu devueltos al cliente puede usar segmentos de salto para escapar de os.tmpdir() y escribir archivos arbitrarios dentro de los permisos del proceso de OpenClaw."}], "lastModified": "2026-03-19T14:52:49.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "539A1AE2-E6EC-4FC0-A794-28AA37D76D8E", "versionEndExcluding": "2026.2.19"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}