CVE-2026-26321

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The Feishu extension allowed the sendMediaFeishu function to interpret attacker-controlled mediaUrl values as local filesystem paths, enabling direct file reading. An attacker influencing tool calls, potentially through prompt injection, could exfiltrate local files by providing paths like /etc/passwd as the mediaUrl. The fix removes direct local file reads and uses hardened helpers with local-root restrictions for media loading.

Recommendations Upgrade to OpenClaw version 2026.2.14 or newer.