CVE-2026-26321 Overview
CVE-2026-26321 is a Path Traversal vulnerability affecting OpenClaw, a personal AI assistant application. Prior to version 2026.2.14, the Feishu extension in OpenClaw allowed the sendMediaFeishu function to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly. This flaw enables attackers who can influence tool calls—either directly or via prompt injection—to exfiltrate sensitive local files by supplying arbitrary file paths such as /etc/passwd as the mediaUrl parameter.
Critical Impact
Attackers can leverage prompt injection or direct tool call manipulation to read arbitrary files from the local filesystem, potentially exposing sensitive system configurations, credentials, and private data.
Affected Products
- OpenClaw versions prior to 2026.2.14
- OpenClaw Feishu extension with sendMediaFeishu functionality
Discovery Timeline
- 2026-02-19 - CVE-2026-26321 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26321
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The core issue stems from the sendMediaFeishu function within the Feishu extension, which fails to properly validate and sanitize user-supplied mediaUrl input before using it to access the local filesystem.
When processing media requests, the vulnerable code path directly interprets the mediaUrl parameter as a filesystem path without enforcing any directory restrictions or path canonicalization. This allows an attacker to supply paths pointing to sensitive system files outside the intended media directory scope.
The attack surface is particularly concerning in the context of an AI assistant, as prompt injection techniques can be used to manipulate tool calls indirectly. An attacker could craft malicious prompts that cause the AI to invoke sendMediaFeishu with arbitrary file paths, effectively turning the AI assistant into a file exfiltration tool.
Root Cause
The root cause of CVE-2026-26321 is the absence of proper input validation and path traversal protections in the sendMediaFeishu function. The code directly consumed the mediaUrl parameter as a local file path without implementing safeguards such as:
- Path canonicalization to resolve symbolic links and relative path components
- Directory restriction enforcement to limit file access to authorized directories
- Input sanitization to reject or neutralize path traversal sequences like ../
Attack Vector
The vulnerability is exploitable over the network, requiring no authentication or user interaction. An attacker can exploit this flaw through the following methods:
Direct Tool Call Manipulation: If an attacker has the ability to directly invoke tool calls in OpenClaw, they can supply malicious file paths in the mediaUrl parameter.
Prompt Injection: By crafting malicious prompts that influence the AI assistant's behavior, attackers can indirectly cause the system to invoke sendMediaFeishu with attacker-controlled paths like /etc/passwd, /etc/shadow, or application configuration files containing secrets.
The exploitation mechanism involves supplying a path such as /etc/passwd as the mediaUrl value. The vulnerable function reads the file contents and potentially returns or transmits them through the Feishu integration, enabling data exfiltration to an attacker-controlled destination.
For detailed technical information about the vulnerability, refer to the GitHub Security Advisory GHSA-8jpq-5h99-ff5r.
Detection Methods for CVE-2026-26321
Indicators of Compromise
- Unusual file read operations targeting sensitive system files such as /etc/passwd, /etc/shadow, or configuration files containing credentials
- Feishu extension activity involving local filesystem paths instead of expected media URLs
- Log entries showing sendMediaFeishu calls with path traversal sequences (../) or absolute paths
- Unexpected outbound data transfers through the Feishu integration containing system file contents
Detection Strategies
- Monitor OpenClaw application logs for sendMediaFeishu invocations with suspicious mediaUrl values containing path traversal patterns or references to sensitive files
- Implement file integrity monitoring on critical system files to detect unauthorized read access
- Deploy application-level monitoring to detect prompt injection patterns that could trigger malicious tool calls
- Review network traffic from OpenClaw instances for unusual data exfiltration through the Feishu API
Monitoring Recommendations
- Enable detailed logging for all Feishu extension operations, particularly the sendMediaFeishu function
- Implement alerting for any file access attempts outside designated media directories
- Monitor for anomalous patterns in AI assistant interactions that may indicate prompt injection attempts
- Establish baseline behavior for legitimate media handling to identify deviations
How to Mitigate CVE-2026-26321
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or newer immediately
- Review application logs for any evidence of exploitation attempts prior to patching
- Audit any systems running vulnerable OpenClaw versions for signs of data exfiltration
- Consider isolating vulnerable instances from sensitive data until patches can be applied
Patch Information
The OpenClaw development team has released version 2026.2.14 which addresses this vulnerability. The fix removes direct local file reads from the sendMediaFeishu code path and routes all media loading operations through hardened helper functions that enforce local-root restrictions.
Patch details are available in the GitHub commit 5b4121d6011a48c71e747e3c18197f180b872c5d. The patched version can be obtained from the GitHub Release v2026.2.14.
Workarounds
- If immediate upgrade is not possible, disable or restrict access to the Feishu extension until patching can be completed
- Implement network-level controls to limit outbound connections from OpenClaw instances
- Apply filesystem permissions to restrict the OpenClaw process from accessing sensitive system files
- Deploy Web Application Firewall (WAF) rules to filter requests containing path traversal patterns targeting the vulnerable functionality
# Restrict OpenClaw process filesystem access (example using AppArmor profile)
# Add to /etc/apparmor.d/openclaw
deny /etc/passwd r,
deny /etc/shadow r,
deny /etc/** r,
# Allow only designated media directories
/var/lib/openclaw/media/** r,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
