Description
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, a flaw that allows regex injection and catastrophic backtracking. This violation of input validation (CWE‑1333) can enable an attacker to craft nested‑quantifier patterns or special characters in mention metadata, causing message processing to hang or remove unintended content before the message is handled by the model, resulting in a denial of service and potential content corruption.

Affected Systems

All instances of OpenClaw:OpenClaw running any releases older than 2026.2.19 are affected; the vulnerability applies to the node.js implementation listed in the CPE.

Risk and Exploitability

The CVSS v3.1 score of 6.9 shows medium severity, and the vulnerability can be triggered remotely through maliciously crafted messages containing exploitative mention metadata. EPSS data is not available and the issue is not currently listed in CISA’s KEV catalog, but the trivial exploitation prerequisites (any message source) give it a high likelihood of abuse if left unpatched.

Generated by OpenCVE AI on March 18, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.19 or newer.
  • As an interim measure, sanitize or validate all Feishu mention metadata before constructing RegExp objects to prevent regex injection leading to catastrophic backtracking.
  • Block or quarantine messages containing suspicious mention metadata until the patch is applied or until input validation is confirmed.

Generated by OpenCVE AI on March 18, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c6hr-w26q-c636 OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
History

Wed, 18 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.
Title OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-1333
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-18T16:07:18.120Z

Reserved: 2026-01-06T16:47:17.181Z

Link: CVE-2026-22178

cve-icon Vulnrichment

Updated: 2026-03-18T16:07:15.447Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T02:16:22.160

Modified: 2026-03-19T16:07:51.290

Link: CVE-2026-22178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:40Z

Weaknesses