CVE-2026-22171 Overview
CVE-2026-22171 is a path traversal vulnerability affecting OpenClaw versions prior to 2026.2.19. The vulnerability exists in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.
This path traversal flaw (CWE-22) allows remote attackers to manipulate file paths and potentially overwrite critical system files, deploy malicious payloads, or establish persistence mechanisms on affected systems.
Critical Impact
Remote attackers can write arbitrary files outside the intended temporary directory by manipulating Feishu media key values, potentially leading to code execution or system compromise.
Affected Products
- OpenClaw versions prior to 2026.2.19
- OpenClaw for Node.js environments
- Systems using the Feishu media download extension
Discovery Timeline
- 2026-03-18 - CVE-2026-22171 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-22171
Vulnerability Analysis
The vulnerability resides in the Feishu media download functionality within extensions/feishu/src/media.ts. When processing media downloads, OpenClaw constructs temporary file paths by directly interpolating user-controlled media key values without proper sanitization. This design flaw allows attackers to inject path traversal sequences (such as ../) into media keys, enabling them to write files to arbitrary locations outside the intended temporary directory.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing deployments. Successful exploitation could result in arbitrary file writes with the privileges of the OpenClaw process, potentially leading to configuration tampering, code injection, or complete system compromise.
Root Cause
The root cause is improper input validation when constructing file paths from external input. The Feishu media key values, which are received from external sources, were used directly in path construction without sanitization or validation. This violates secure coding principles that mandate treating all external input as untrusted and validating file paths to prevent directory traversal attacks.
The vulnerable code pattern likely resembled constructing paths like path.join(os.tmpdir(), mediaKey) where mediaKey could contain traversal sequences like ../../etc/cron.d/malicious.
Attack Vector
The attack is executed over the network by manipulating Feishu media key values returned to the OpenClaw client. An attacker can craft malicious media keys containing path traversal sequences such as ../ or ..\\ to escape the temporary directory boundary. When the application processes these malicious keys, it writes downloaded content to attacker-controlled locations on the filesystem.
The security patches introduced multiple layers of defense:
// Security patch - Input validation for external keys
// Source: https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f
const CONTROL_CHARS_RE = /[\\u0000-\\u001f\\u007f]/;
const MAX_EXTERNAL_KEY_LENGTH = 512;
export function normalizeFeishuExternalKey(value: unknown): string | undefined {
if (typeof value !== "string") {
return undefined;
}
const normalized = value.trim();
if (!normalized || normalized.length > MAX_EXTERNAL_KEY_LENGTH) {
return undefined;
}
if (CONTROL_CHARS_RE.test(normalized)) {
return undefined;
}
if (normalized.includes("/") || normalized.includes("\\") || normalized.includes("..")) {
return undefined;
}
return normalized;
}
The patch implements comprehensive validation that rejects media keys containing path separators (/, \\) or traversal sequences (..), control characters, and excessively long values.
Detection Methods for CVE-2026-22171
Indicators of Compromise
- Unexpected file creation or modification outside the OpenClaw temporary directory
- Feishu media requests containing path traversal patterns (../, ..\\, %2e%2e) in media key parameters
- Log entries showing file operations targeting directories outside os.tmpdir()
- Presence of unauthorized files in system directories with timestamps matching OpenClaw activity
Detection Strategies
- Monitor filesystem activity for the OpenClaw process, alerting on writes outside expected directories
- Implement web application firewall rules to detect path traversal patterns in API requests
- Analyze application logs for media download requests containing suspicious characters or sequences
- Deploy endpoint detection rules to identify file writes to sensitive system paths from Node.js processes
Monitoring Recommendations
- Enable verbose logging for the Feishu extension to capture all media download operations
- Configure file integrity monitoring (FIM) on critical system directories
- Set up alerts for OpenClaw process activity writing to paths outside the application directory
- Review network traffic for Feishu API responses containing unusual media key values
How to Mitigate CVE-2026-22171
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.19 or later immediately
- Review systems for signs of exploitation, particularly unexpected files in system directories
- Audit filesystem permissions to limit the OpenClaw process's write access to only necessary directories
- Consider temporarily disabling the Feishu extension if immediate patching is not possible
Patch Information
OpenClaw has released security patches addressing this vulnerability. The fixes implement input validation for external keys and harden temporary path handling. The following commits contain the security fixes:
- Security patch c821099 - Harden temp media download paths
- Security patch cdb00fe - Isolate temp download writes in mkdtemp directories
- Security patch ec232a9 - Harden temp-path handling for inbound media
For complete details, refer to the GitHub Security Advisory GHSA-vj3g-5px3-gr46.
Workarounds
- Run the OpenClaw process with minimal filesystem permissions, restricting write access to only necessary directories
- Implement network-level controls to sanitize or block requests containing path traversal patterns
- Deploy containerization or sandboxing to isolate the OpenClaw process from sensitive filesystem areas
- Use a web application firewall (WAF) to filter malicious input before it reaches the application
# Example: Restrict OpenClaw process permissions using systemd
# /etc/systemd/system/openclaw.service.d/hardening.conf
[Service]
ReadWritePaths=/var/lib/openclaw/temp
ReadOnlyPaths=/
ProtectSystem=strict
ProtectHome=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
