AI Threat Alert
CVE-2026-22178
MEDIUMOpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | pip | — | No patch |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-22178?
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.
Is CVE-2026-22178 actively exploited?
No confirmed active exploitation of CVE-2026-22178 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-22178?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2026-22178?
CVE-2026-22178 has a CVSS v3.1 base score of 6.5 (MEDIUM).
What are the technical details?
Original Advisory
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.
Weaknesses (CWE)
CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
- [Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
- [System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L References
- github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c patch
- github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c patch
- github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636 vendor-advisory
- vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata third-party-advisory
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 Analysis pending
Same package: openclaw CVE-2026-32922 9.9 Analysis pending
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw