3 matches found
CVE-2026-26321 OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed sendMediaFeishu to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly. If an attacker can influence tool calls directly or via prompt injection...
Command Injection
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via the exec-approvals allowlist, when shell expansion is performed on argv tokens. An attacker can access sensitive files by supplying crafted arguments that leverage...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via system.run. An attacker can bypass allowlist enforcement and approval prompts by supplying an allowlisted rawCommand while providing a different command argume...