{"data":{"id":"6011a294-0e48-4c49-a21a-ddf730f40fb8","title":"GHSA-8jpq-5h99-ff5r: OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension","summary":"The Feishu extension in OpenClaw had a vulnerability where the `sendMediaFeishu` function could be tricked into reading files directly from a computer's filesystem by treating attacker-controlled file paths as input. An attacker who could influence how the tool behaves (either directly or through prompt injection, where hidden instructions are hidden in the AI's input) could steal sensitive files like `/etc/passwd`.","solution":"Upgrade to OpenClaw version 2026.2.14 or newer. The fix removes direct local file reads and routes media loading through hardened helpers that enforce local-root restrictions.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-8jpq-5h99-ff5r","publishedAt":"2026-02-17T21:41:52.000Z","cveId":"CVE-2026-26321","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["data_extraction","prompt_injection"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.2.14 (fixed: 2026.2.14)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["OpenClaw","Feishu extension"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00079,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}