{"id":"GHSA-8jpq-5h99-ff5r","summary":"OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension","details":"### Summary\nThe Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly.\n\n### Affected versions\n- `\u003c 2026.2.14`\n\n### Patched versions\n- `\u003e= 2026.2.14`\n\n### Impact\nIf an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`.\n\n### Remediation\nUpgrade to OpenClaw `2026.2.14` or newer.\n\n### Notes\nThe fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.\n\n---\n\nFix commit 5b4121d60 confirmed on main and in v2026.2.14. Upgrade to `openclaw \u003e= 2026.2.14`.","aliases":["CVE-2026-26321"],"modified":"2026-02-20T16:58:05.071255Z","published":"2026-02-17T21:41:52Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2026-02-17T21:41:52Z","severity":"HIGH","nvd_published_at":"2026-02-19T23:16:25Z","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26321"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d"},{"type":"PACKAGE","url":"https://github.com/openclaw/openclaw"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}],"affected":[{"package":{"name":"openclaw","ecosystem":"npm","purl":"pkg:npm/openclaw"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2026.2.14"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-8jpq-5h99-ff5r/GHSA-8jpq-5h99-ff5r.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}