PT-2026-22496 · Npm · Openclaw
Publicado
2026-02-18
·
Atualizado
2026-02-18
CVSS v3.1
8.6
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Summary
The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections:
sendMediaFeishu(mediaUrl)- Feishu DocX markdown image URLs (write/append -> image processing)
Affected versions
< 2026.2.14
Patched versions
>= 2026.2.14
Impact
If an attacker can influence tool calls (directly or via prompt injection), they may be able to trigger requests to internal services and re-upload the response as Feishu media.
Remediation
Upgrade to OpenClaw
2026.2.14 or newer.Notes
The fix routes Feishu remote media fetching through hardened runtime helpers that enforce SSRF policies and size limits.
Correção
SSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw