CVE-2026-28451

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The Feishu extension in OpenClaw is susceptible to server-side request forgery (SSRF). This allows attackers to retrieve content from attacker-controlled remote URLs without proper SSRF protections. The issue exists in two areas: the sendMediaFeishu(mediaUrl) function and the processing of markdown images within Feishu DocX files. Attackers can manipulate tool calls, either directly or through prompt injection, to initiate requests to internal services and then re-upload the responses as Feishu media.

Recommendations Upgrade to OpenClaw version 2026.2.14 or newer.