CVE-2026-26321 — HIGH (CVSS 7.5)

CISO Take

CVE-2026-26321 is a path traversal flaw (CWE-22) in OpenClaw's Feishu extension where the `sendMediaFeishu` tool accepts attacker-controlled `mediaUrl` values as raw filesystem paths, enabling reads of arbitrary local files such as SSH keys, `.env` secrets, or `/etc/passwd` with zero authentication. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N/C:H) reflects a frictionless exploitation profile — any actor able to influence OpenClaw's tool calls, whether directly or via prompt injection against ingested external content, can silently exfiltrate sensitive files. While there is no CISA KEV entry or public exploit yet, OpenClaw carries 11 total CVEs and AIID #1368 documents active abuse of its extension ecosystem for credential theft, indicating this package and its plugin surface are under active adversarial attention. Patch to OpenClaw 2026.2.14 immediately; if patching is not feasible, disable the Feishu extension and sandbox the assistant process with filesystem restrictions.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for any deployment running OpenClaw prior to 2026.2.14 with the Feishu extension enabled. The network-accessible, zero-privilege, no-user-interaction CVSS profile means the attack requires no special position beyond the ability to feed crafted input into the agent's context. Personal AI assistants typically run with broad local filesystem access, giving a successful exploit direct reach to credentials, config files, and secrets. The 11-CVE track record and documented real-world abuse of OpenClaw's extension ecosystem (AIID #1368) elevates practical risk beyond what CVSS alone conveys.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Patch immediately: upgrade to OpenClaw 2026.2.14 (fix commit 5b4121d6, GHSA-8jpq-5h99-ff5r).
If patching is not immediately possible, disable the Feishu extension in OpenClaw settings.
Sandbox the OpenClaw process using OS-level controls (chroot, container, or macOS sandbox profiles) to restrict filesystem access to necessary directories only.
Audit Feishu outbound API call logs for unexpected payloads containing file content.
Review all AI agent tool definitions for parameters that accept file paths and enforce allow-list validation.
Monitor for prompt injection patterns in content ingested by the assistant (emails, documents, web pages).

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Prompt Injection Privacy Violation Agent Plugin AML.T0037 - Data from Local System AML.T0051.000 - Direct AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Manage AI risks through established controls

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents active abuse of OpenClaw's third-party extensions ecosystem (same package) to deliver credential-stealing malware via malicious skills — the identical exfiltration-via-tool-invocation failure mode that CVE-2026-26321 enables through path traversal in the Feishu extension, confirming OpenClaw's plugin surface is a live target.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-26321?

CVE-2026-26321 is a path traversal flaw (CWE-22) in OpenClaw's Feishu extension where the `sendMediaFeishu` tool accepts attacker-controlled `mediaUrl` values as raw filesystem paths, enabling reads of arbitrary local files such as SSH keys, `.env` secrets, or `/etc/passwd` with zero authentication. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N/C:H) reflects a frictionless exploitation profile — any actor able to influence OpenClaw's tool calls, whether directly or via prompt injection against ingested external content, can silently exfiltrate sensitive files. While there is no CISA KEV entry or public exploit yet, OpenClaw carries 11 total CVEs and AIID #1368 documents active abuse of its extension ecosystem for credential theft, indicating this package and its plugin surface are under active adversarial attention. Patch to OpenClaw 2026.2.14 immediately; if patching is not feasible, disable the Feishu extension and sandbox the assistant process with filesystem restrictions.

Is CVE-2026-26321 actively exploited?

No confirmed active exploitation of CVE-2026-26321 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-26321?

1. Patch immediately: upgrade to OpenClaw 2026.2.14 (fix commit 5b4121d6, GHSA-8jpq-5h99-ff5r). 2. If patching is not immediately possible, disable the Feishu extension in OpenClaw settings. 3. Sandbox the OpenClaw process using OS-level controls (chroot, container, or macOS sandbox profiles) to restrict filesystem access to necessary directories only. 4. Audit Feishu outbound API call logs for unexpected payloads containing file content. 5. Review all AI agent tool definitions for parameters that accept file paths and enforce allow-list validation. 6. Monitor for prompt injection patterns in content ingested by the assistant (emails, documents, web pages).

What systems are affected by CVE-2026-26321?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, personal AI assistants, agentic tool execution.

What is the CVSS score for CVE-2026-26321?

CVE-2026-26321 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.

Exploitation Scenario

An attacker embeds a prompt injection in a document or email that OpenClaw is asked to process: the injected instruction directs the assistant to call `sendMediaFeishu` with `mediaUrl` set to `/home/user/.ssh/id_rsa`. The vulnerable extension reads the private key from disk and transmits it as a media payload to the attacker's Feishu contact, with no authentication, no user confirmation prompt, and no error raised. In a more automated variant, the attacker publishes a malicious webpage or Feishu message containing the injection, which triggers silently when OpenClaw browses or processes it as part of an agentic task, exfiltrating credentials to a controlled endpoint before the user is aware.