AI Threat Alert

CVE-2026-28451: OpenClaw: SSRF via Feishu extension exposes internal services

CRITICAL
Published March 5, 2026
CISO Take

CVE-2026-28451 is a critical SSRF (CWE-918, CVSS 9.3) in OpenClaw's Feishu extension, enabling unauthenticated network attackers to proxy requests through the AI agent to reach internal services with zero privileges or user interaction required. The dual attack vectors — direct API manipulation or prompt injection via markdown image processing — mean any document, email, or webpage the agent processes could silently trigger SSRF against cloud metadata endpoints (169.254.169.254), internal databases, or key management services, with responses covertly re-uploaded as Feishu media that blends with legitimate platform traffic. Not yet in CISA KEV and no public exploit is published, but the trivial exploitation profile combined with OpenClaw's 11 prior CVEs signals systemic security debt warranting immediate action. Upgrade to OpenClaw 2026.2.14+ now; if patching is not immediate, disable the Feishu extension and enforce egress filtering blocking OpenClaw process connections to RFC-1918 ranges and cloud metadata IPs.

Sources: NVD GitHub Advisory ATLAS vulncheck.com

What is the risk?

Risk is critical. The CVSS 9.3 vector (AV:N/AC:L/PR:N/UI:N/S:C) reflects maximum network reachability with no exploitation barrier, and the Scope:Changed metric indicates compromise cascades beyond the OpenClaw component into other internal systems. For AI agent deployments ingesting untrusted external content — documents, emails, scraped web pages — the prompt injection pathway creates a zero-click SSRF scenario requiring no direct attacker API access. The 11 prior CVEs in this package indicate it has been a historically soft target, and the covert exfiltration channel via Feishu media uploads will evade most DLP and network monitoring controls that don't inspect AI platform traffic.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
openclaw pip No patch
4 dependents 91% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
9.3 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 13% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I Low
A None

What should I do?

6 steps

  1. Patch: Upgrade to OpenClaw 2026.2.14+ (patch commit 5b4121d6).

  2. If immediate patching is not possible, disable the Feishu extension in OpenClaw configuration.

  3. Network-level: Implement egress filtering on the OpenClaw process — block outbound connections to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cloud metadata IPs (169.254.169.254), and localhost.

  4. Content filtering: If processing untrusted markdown, strip or sandbox image URL references before passing content to OpenClaw.

  5. Detection: Monitor for anomalous Feishu media upload activity, particularly uploads containing JSON or structured text consistent with internal service responses; alert on OpenClaw process connections to internal IP ranges.

  6. Audit all sendMediaFeishu call logs for unexpected URL parameters indicating internal targets.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Prompt Injection Data Extraction Auth Bypass Agent Plugin AML.T0049 AML.T0051.001 AML.T0053 AML.T0080 AML.T0086

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
8.4 - AI system security
NIST AI RMF
MANAGE-2.2 - AI risk treatment and monitoring
OWASP LLM Top 10
LLM01 - Prompt Injection LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 describes malicious OpenClaw skills delivering credential-stealing malware via the same platform ecosystem. This CVE's SSRF provides a complementary and potentially more direct credential exfiltration path on the same platform — cloud metadata endpoints yield IAM credentials without requiring a malicious skill, and the re-upload mechanism mirrors the covert exfiltration behavior observed in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-28451?

CVE-2026-28451 is a critical SSRF (CWE-918, CVSS 9.3) in OpenClaw's Feishu extension, enabling unauthenticated network attackers to proxy requests through the AI agent to reach internal services with zero privileges or user interaction required. The dual attack vectors — direct API manipulation or prompt injection via markdown image processing — mean any document, email, or webpage the agent processes could silently trigger SSRF against cloud metadata endpoints (169.254.169.254), internal databases, or key management services, with responses covertly re-uploaded as Feishu media that blends with legitimate platform traffic. Not yet in CISA KEV and no public exploit is published, but the trivial exploitation profile combined with OpenClaw's 11 prior CVEs signals systemic security debt warranting immediate action. Upgrade to OpenClaw 2026.2.14+ now; if patching is not immediate, disable the Feishu extension and enforce egress filtering blocking OpenClaw process connections to RFC-1918 ranges and cloud metadata IPs.

Is CVE-2026-28451 actively exploited?

No confirmed active exploitation of CVE-2026-28451 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-28451?

1. Patch: Upgrade to OpenClaw 2026.2.14+ (patch commit 5b4121d6). 2. If immediate patching is not possible, disable the Feishu extension in OpenClaw configuration. 3. Network-level: Implement egress filtering on the OpenClaw process — block outbound connections to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cloud metadata IPs (169.254.169.254), and localhost. 4. Content filtering: If processing untrusted markdown, strip or sandbox image URL references before passing content to OpenClaw. 5. Detection: Monitor for anomalous Feishu media upload activity, particularly uploads containing JSON or structured text consistent with internal service responses; alert on OpenClaw process connections to internal IP ranges. 6. Audit all `sendMediaFeishu` call logs for unexpected URL parameters indicating internal targets.

What systems are affected by CVE-2026-28451?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, enterprise AI assistants with internal network access.

What is the CVSS score for CVE-2026-28451?

CVE-2026-28451 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls through direct manipulation or prompt injection to trigger requests to internal services and re-upload responses as Feishu media.

Exploitation Scenario

An attacker embeds a crafted markdown image reference in a document or webpage: `![x](http://169.254.169.254/latest/meta-data/iam/security-credentials/)`. When a victim user asks their OpenClaw-powered AI agent to summarize or process this content, the agent parses the markdown and the Feishu extension calls `sendMediaFeishu` with the attacker-controlled URL. OpenClaw fetches the cloud metadata endpoint, retrieves IAM credentials or other sensitive data, and re-uploads the response as a Feishu media file in the victim's workspace — accessible to the attacker. The full chain requires zero direct API access; introducing the malicious document via email attachment, shared link, or a poisoned RAG data source is sufficient to trigger silent credential exfiltration.

Weaknesses (CWE)

CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

References

Timeline

Published
March 5, 2026
Last Modified
March 11, 2026
First Seen
March 5, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-r39h-4c2p-3jxp 7.8

OpenClaw: RCE via malicious repo setup-api.js

Same package: openclaw
Back to Threat Feed