CVE-2026-22178

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.6 through 2026.2.17

Description The software constructs RegExp objects directly from unescaped Feishu mention metadata within the stripBotMention function. This allows for potential regex injection and denial of service. Attackers can craft patterns with nested quantifiers or metacharacters in mention metadata to trigger catastrophic backtracking, potentially blocking message processing or removing unintended content before model processing. The vulnerable code resides in the extensions/feishu/src/bot.ts file, specifically when creating a new RegExp() from mention.name and mention.key without proper escaping of regex metacharacters.

Recommendations OpenClaw versions 2026.2.6 through 2026.2.17 should be updated to version 2026.2.19 or later.