CVE-2026-28451 — CRITICAL (CVSS 9.3) AI Security Vulnerability

CISO Take

CVE-2026-28451 is a critical SSRF (CWE-918, CVSS 9.3) in OpenClaw's Feishu extension, enabling unauthenticated network attackers to proxy requests through the AI agent to reach internal services with zero privileges or user interaction required. The dual attack vectors — direct API manipulation or prompt injection via markdown image processing — mean any document, email, or webpage the agent processes could silently trigger SSRF against cloud metadata endpoints (169.254.169.254), internal databases, or key management services, with responses covertly re-uploaded as Feishu media that blends with legitimate platform traffic. Not yet in CISA KEV and no public exploit is published, but the trivial exploitation profile combined with OpenClaw's 11 prior CVEs signals systemic security debt warranting immediate action. Upgrade to OpenClaw 2026.2.14+ now; if patching is not immediate, disable the Feishu extension and enforce egress filtering blocking OpenClaw process connections to RFC-1918 ranges and cloud metadata IPs.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

Risk Assessment

Risk is critical. The CVSS 9.3 vector (AV:N/AC:L/PR:N/UI:N/S:C) reflects maximum network reachability with no exploitation barrier, and the Scope:Changed metric indicates compromise cascades beyond the OpenClaw component into other internal systems. For AI agent deployments ingesting untrusted external content — documents, emails, scraped web pages — the prompt injection pathway creates a zero-click SSRF scenario requiring no direct attacker API access. The 11 prior CVEs in this package indicate it has been a historically soft target, and the covert exfiltration channel via Feishu media uploads will evade most DLP and network monitoring controls that don't inspect AI platform traffic.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
openclaw	pip	—	No patch
openclaw	pip	—	No patch
openclaw	pip	—	No patch

Severity & Risk

CVSS 3.1

9.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch: Upgrade to OpenClaw 2026.2.14+ (patch commit 5b4121d6).
If immediate patching is not possible, disable the Feishu extension in OpenClaw configuration.
Network-level: Implement egress filtering on the OpenClaw process — block outbound connections to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cloud metadata IPs (169.254.169.254), and localhost.
Content filtering: If processing untrusted markdown, strip or sandbox image URL references before passing content to OpenClaw.
Detection: Monitor for anomalous Feishu media upload activity, particularly uploads containing JSON or structured text consistent with internal service responses; alert on OpenClaw process connections to internal IP ranges.
Audit all `sendMediaFeishu` call logs for unexpected URL parameters indicating internal targets.

Classification

Prompt Injection Data Extraction Auth Bypass Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system security

NIST AI RMF

MANAGE-2.2 - AI risk treatment and monitoring

OWASP LLM Top 10

LLM01 - Prompt Injection LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 describes malicious OpenClaw skills delivering credential-stealing malware via the same platform ecosystem. This CVE's SSRF provides a complementary and potentially more direct credential exfiltration path on the same platform — cloud metadata endpoints yield IAM credentials without requiring a malicious skill, and the re-upload mechanism mirrors the covert exfiltration behavior observed in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls through direct manipulation or prompt injection to trigger requests to internal services and re-upload responses as Feishu media.

Exploitation Scenario

An attacker embeds a crafted markdown image reference in a document or webpage: `![x](http://169.254.169.254/latest/meta-data/iam/security-credentials/)`. When a victim user asks their OpenClaw-powered AI agent to summarize or process this content, the agent parses the markdown and the Feishu extension calls `sendMediaFeishu` with the attacker-controlled URL. OpenClaw fetches the cloud metadata endpoint, retrieves IAM credentials or other sensitive data, and re-uploads the response as a Feishu media file in the victim's workspace — accessible to the attacker. The full chain requires zero direct API access; introducing the malicious document via email attachment, shared link, or a poisoned RAG data source is sufficient to trigger silent credential exfiltration.