PT-2026-32079 · Npm · Openclaw
Publicado
2026-03-31
·
Atualizado
2026-03-31
CVSS v4.0
6.0
Média
| Vetor | AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
Feishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path.
Impact
A tool caller constrained to workspace or localRoots paths could exfiltrate arbitrary host files through Feishu upload actions.
Affected Component
extensions/feishu/src/docx.tsFixed Versions
- Affected:
>= 2026.2.6, <= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit
764394c78b (fix: enforce localRoots sandbox on Feishu docx upload file reads).Correção
Path traversal
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw