CVE-2026-28451: OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that al
Summary
OpenClaw versions before 2026.2.14 have a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended targets) in the Feishu extension that allows attackers to fetch remote URLs and access internal services through the sendMediaFeishu function and markdown image processing. Attackers can exploit this by manipulating tool calls or using prompt injection (tricking the AI by hiding instructions in its input) to trigger these requests and re-upload the responses as Feishu media.
Solution / Mitigation
Upgrade OpenClaw to version 2026.2.14 or later.
Vulnerability Details
5.3(medium)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-28451
First tracked: March 5, 2026 at 07:08 PM
Classified by LLM (prompt v3) · confidence: 75%