GHSA-x22m-j5qq-j49m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x22m-j5qq-j49m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-x22m-j5qq-j49m/GHSA-x22m-j5qq-j49m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x22m-j5qq-j49m
- Published
- 2026-02-18T17:45:12Z
- Modified
- 2026-02-18T18:06:45.229364Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
- Details
-
Summary
The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections:
sendMediaFeishu(mediaUrl)- Feishu DocX markdown image URLs (write/append -> image processing)
Affected versions
< 2026.2.14
Patched versions
>= 2026.2.14
Impact
If an attacker can influence tool calls (directly or via prompt injection), they may be able to trigger requests to internal services and re-upload the response as Feishu media.
Remediation
Upgrade to OpenClaw
2026.2.14or newer.Notes
The fix routes Feishu remote media fetching through hardened runtime helpers that enforce SSRF policies and size limits.
- Database specific
{ "github_reviewed_at": "2026-02-18T17:45:12Z", "severity": "HIGH", "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "nvd_published_at": null }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m
- https://github.com/openclaw/openclaw/pull/16285
- https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw