Plattform
nodejs
Komponente
openclaw
Behoben in
2026.2.19
2026.2.19
CVE-2026-22171 describes a Path Traversal vulnerability discovered in OpenClaw, a self-hosted collaboration platform. This flaw allows an attacker to potentially write arbitrary files within the OpenClaw process's file system if they can control Feishu media keys. The vulnerability impacts versions prior to 2026.2.19, and a patch has been released to address the issue.
The core of the vulnerability lies in OpenClaw's handling of Feishu media keys during file downloads. The extensions/feishu/src/media.ts file directly interpolates these keys into temporary file paths without proper sanitization. An attacker who can manipulate the imageKey or fileKey values returned by the Feishu service can inject path traversal sequences (e.g., ../..) into the temporary file path. This allows them to bypass the intended temporary directory (os.tmpdir()) and write files to arbitrary locations accessible by the OpenClaw process. The impact is limited to the process's file permissions, but could still lead to data corruption, privilege escalation within the OpenClaw environment, or denial of service.
CVE-2026-22171 was publicly disclosed on March 3, 2026. There is no indication of this vulnerability being actively exploited at the time of writing. The EPSS score is currently pending evaluation. Public proof-of-concept exploits are not yet available, but the vulnerability's nature makes it likely that one will emerge if the attack surface remains unpatched.
Organizations using OpenClaw for collaborative knowledge management, particularly those integrated with Feishu for media sharing, are at risk. Shared hosting environments where OpenClaw is deployed alongside other applications may also be vulnerable if the attacker can compromise another application and leverage it to manipulate Feishu media keys.
• nodejs: Monitor OpenClaw logs for requests containing unusual characters in the imageKey or fileKey parameters. Use grep to search for patterns like ../ or ..\ in request URLs.
grep 'imageKey=.*\.\./' /var/log/openclaw/access.log
grep 'fileKey=.*\.\./' /var/log/openclaw/access.log• generic web: Examine access logs for requests to the media download endpoint with suspicious query parameters. Use curl to test the endpoint with crafted parameters.
curl 'https://your-openclaw-instance/download?imageKey=../../../../etc/passwd' -sdisclosure
patch
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade OpenClaw to version 2026.2.19 or later, which includes the fix for this vulnerability. If an immediate upgrade is not possible, consider implementing a temporary workaround by validating and sanitizing the Feishu media keys before they are used in file path construction. This could involve a whitelist of allowed characters or a regular expression to prevent traversal sequences. Additionally, monitor OpenClaw's logs for any unusual file write activity, particularly attempts to write files outside the expected temporary directory. After upgrading, confirm the fix by attempting a file download with a crafted Feishu media key containing traversal sequences; the download should fail with an error.
Aktualisieren Sie OpenClaw auf Version 2026.2.19 oder höher. Diese Version behebt die Path Traversal Schwachstelle in der Handhabung von Feishu Media temporären Dateien.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22171 is a Path Traversal vulnerability in OpenClaw that allows attackers to write arbitrary files by manipulating Feishu media keys. It has a CVSS score of 8.2 (HIGH).
You are affected if you are running OpenClaw versions prior to 2026.2.19 and are using Feishu integration for media downloads.
Upgrade OpenClaw to version 2026.2.19 or later. Consider implementing WAF rules to filter suspicious parameters as a temporary workaround.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the OpenClaw security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.