CVE-2026-22171

EPSS 0.34%
Veröffentlicht 18.03.2026 02:16:21
Zuletzt bearbeitet 19.03.2026 14:52:49
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenClaw ≫ OpenClaw SwPlatformnode.js Version < 2026.2.19

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.255

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
disclosure@vulncheck.com	8.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871

Patch

https://github.com/openclaw/openclaw/commit/cdb00fe2428000e7a08f9b7848784a0049176705

Patch

https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f

Patch

https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46

Vendor Advisory

Mitigation

https://www.vulncheck.com/advisories/openclaw-path-traversal-in-feishu-media-temporary-file-naming

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-22171

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22171

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22171

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22171