CVE-2026-22171 - Vulnerability Details

- OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming

Description

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.

Published: 2026-03-18

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenClaw versions older than 2026.2.19 contain a path traversal flaw in the Feishu media download flow where untrusted media key values are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control the media key values returned to the client can craft traversal segments to escape os.tmpdir(), allowing them to write arbitrary files within the OpenClaw process permissions. This capability can be used to place malicious executables or modify critical configuration files, potentially leading to arbitrary code execution, privilege escalation, or data corruption.

Affected Systems

All OpenClaw deployments running a version prior to 2026.2.19 are affected. The product runs under Node.js as indicated by the CPE entry. Any installation that exposes the Feishu media interface is at risk.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a high‑severity vulnerability. EPSS data is unavailable and the issue is currently not listed in the CISA KEV catalog. Exploitation can occur remotely via the Feishu media feature, provided that an attacker can influence the media key values. No elevated privilege is required beyond the normal OpenClaw process, making the attack vector broadly applicable to remote users or compromised clients. The absence of an immediate fix underscores the importance of applying remediation promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenClaw

unaffected

Version	Status	Constraints
`0`	affected	< 2026.2.19

Configuration 1 [-]

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

No data.

Vendor Product Confidence Versions

Openclaw

95%

Version	Status	Scheme	Platform
`[0,2026.2.19)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to OpenClaw version 2026.2.19 or later to eliminate the path traversal flaw.
If an upgrade cannot be performed immediately, consider disabling or removing the Feishu media support to prevent the vulnerable flow from being executed.
Implement monitoring of the OpenClaw temporary directory to detect unexpected file creation or deletion events.
Stay informed by reviewing open-source advisories and vendor notices for subsequent patches or additional mitigations.

Generated by OpenCVE AI on March 18, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vj3g-5px3-gr46	OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871
https://github.com/openclaw/openclaw/commit/cdb00fe2428000e7a08f9b7848784a0049176705
https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f
https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46
https://www.vulncheck.com/advisories/openclaw-path-traversal-in-feishu-media-temporary-file-naming

History

Wed, 18 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Mar 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.
Title		OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming
First Time appeared		Openclaw Openclaw openclaw
Weaknesses		CWE-22
CPEs		cpe:2.3:a:openclaw:openclaw::::::node.js::*
Vendors & Products		Openclaw Openclaw openclaw
References		https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871 https://github.com/openclaw/openclaw/commit/cdb00fe2428000e7a08f9b7848784a0049176705 https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46 https://www.vulncheck.com/advisories/openclaw-path-traversal-in-feishu-media-temporary-file-naming
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}` cvssV4_0 `{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

Openclaw Openclaw

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-18T01:34:19.103Z

Updated: 2026-03-18T14:04:27.283Z

Reserved: 2026-01-06T16:47:17.180Z

Link: CVE-2026-22171

Vulnrichment

Updated: 2026-03-18T14:04:22.548Z

NVD

Status : Analyzed

Published: 2026-03-18T02:16:21.310

Modified: 2026-03-19T14:52:49.680

Link: CVE-2026-22171

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-24T10:53:44Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object