CVE-2026-22171

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19

Description OpenClaw contains a path traversal issue in the Feishu media download process. Untrusted media keys are directly used in constructing temporary file paths within the extensions/feishu/src/media.ts file. An attacker controlling the Feishu media key values returned to the client can utilize traversal segments to bypass the os.tmpdir() directory and write arbitrary files with the permissions of the OpenClaw process. The issue stems from the direct interpolation of untrusted input (imageKey / fileKey) into file paths. This allows for manipulation of the path, potentially leading to file writes outside the intended temporary directory.

Recommendations Update OpenClaw to version 2026.2.19 or later.