Platform
nodejs
Component
openclaw
Fixed in
2026.2.19
2026.2.19
CVE-2026-22171 describes a Path Traversal vulnerability discovered in OpenClaw, a self-hosted collaborative knowledge base. This flaw allows attackers to potentially write arbitrary files within the OpenClaw process's file system, leading to potential data corruption or code execution. The vulnerability stems from improper handling of Feishu media keys in the media download flow, affecting versions before 2026.2.19. A fix has been released in version 2026.2.19.
The core of the vulnerability lies in OpenClaw's handling of imageKey and fileKey values received from Feishu during media downloads. These keys are directly interpolated into temporary file paths without proper sanitization. An attacker who can control these Feishu media keys—for instance, through a compromised upstream Feishu response—can craft malicious keys containing path traversal sequences (e.g., ../). This allows them to escape the intended temporary directory and write files to arbitrary locations within the OpenClaw process's file system. The impact is limited to the permissions of the OpenClaw process itself, but this could still allow for the modification or deletion of critical configuration files, potentially leading to denial of service or even remote code execution if the process has elevated privileges. While not directly exploitable for full system compromise, the ability to write arbitrary files represents a significant security risk.
CVE-2026-22171 was publicly disclosed on March 3, 2026. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, given the lack of public exploits and the requirement for attacker control over upstream Feishu responses.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-22171 is to immediately upgrade OpenClaw to version 2026.2.19 or later. This version includes a fix that properly sanitizes the Feishu media keys before they are used in file path construction. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the imageKey and fileKey parameters. Additionally, restrict access to the media download endpoint to trusted sources only. Regularly review and audit the OpenClaw configuration to ensure that the process is running with the least necessary privileges. After upgrading, confirm the fix by attempting a media download with a crafted imageKey containing path traversal characters; the download should be denied.
Update OpenClaw to version 2026.2.19 or later. This version fixes the path traversal vulnerability in Feishu media temporary file handling.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22171 is a Path Traversal vulnerability in OpenClaw that allows attackers to write arbitrary files by manipulating Feishu media keys. It has a CVSS score of 8.2 (HIGH).
You are affected if you are running OpenClaw versions prior to 2026.2.19 and are using Feishu integration for media downloads.
Upgrade OpenClaw to version 2026.2.19 or later. Consider implementing WAF rules to filter suspicious parameters as a temporary workaround.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the OpenClaw security advisories on their official website or GitHub repository for the latest information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.