Lucene search
K

34 matches found

Github Security Blog
Github Security Blog
added 2026/04/28 12:31 a.m.10 views

Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qf48-qfv4-jjm9. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension...

6.5CVSS5.8AI score0.00339EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/28 12:31 a.m.6 views

GHSA-QP56-GP47-JWJ3 Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qf48-qfv4-jjm9. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension...

6CVSS5.8AI score0.00339EPSS
Exploits0References3
NVD
NVD
added 2026/04/28 12:16 a.m.5 views

CVE-2026-41363

OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during uploadimage operations to read arbitrary files outside...

6.5CVSS0.00339EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/27 11:24 p.m.4 views

CVE-2026-41363 OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter

OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during uploadimage operations to read arbitrary files outside...

6CVSS5.4AI score0.00339EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/27 11:24 p.m.3 views

CVE-2026-41363

OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during uploadimage operations to read arbitrary files outside...

6CVSS5.5AI score0.00339EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/04/27 11:24 p.m.24 views

CVE-2026-41363

OpenClaw vulnerable versions 2026.2.6–2026.3.24 due to a path traversal flaw in the Feishu extension resolveUploadInput function. Improper path resolution during upload_image operations allows reading arbitrary files outside configured localRoots, bypassing file-system sandbox restrictions. Impac...

6.5CVSS5.5AI score0.00339EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/27 11:24 p.m.7 views

EUVD-2026-25943

OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during uploadimage operations to read arbitrary files outside...

6CVSS5.4AI score0.00339EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.7 views

PT-2026-35551

OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload image operations to read arbitrary files outside...

6CVSS5.4AI score0.00339EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/31 11:53 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the uploadimage process in the Feishu extension. An attacker can access arbitrary files outside the intended file-system sandbox by submitting crafted upload...

6.5CVSS6AI score0.00339EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/31 11:53 p.m.6 views

Incorrect Authorization

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Incorrect Authorization via the uploadimage process in the Feishu extension. An attacker can access arbitrary files outside the intended...

6.5CVSS6AI score0.00339EPSS
Exploits0References3
OSV
OSV
added 2026/03/31 11:53 p.m.3 views

GHSA-QF48-QFV4-JJM9 OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image

Summary Feishu upload path resolution could read files outside the configured localRoots sandbox before handing them to the upload path. Impact A tool caller constrained to workspace or localRoots paths could exfiltrate arbitrary host files through Feishu upload actions. Affected Component...

6CVSS6AI score0.00339EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/03/07 1:44 a.m.8 views

CVE-2026-28451

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

9.3CVSS5.8AI score0.00275EPSS
Exploits0References1
NVD
NVD
added 2026/03/05 10:16 p.m.13 views

CVE-2026-28451

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

9.3CVSS0.00275EPSS
Exploits0References3
OSV
OSV
added 2026/03/05 10:16 p.m.5 views

CVE-2026-28451

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

9.3CVSS5.8AI score
Exploits0References3
CVE
CVE
added 2026/03/05 9:59 p.m.25 views

CVE-2026-28451

CVE-2026-28451 affects OpenClaw prior to 2026.2.14. The Feishu extension contains server-side request forgery (SSRF) in two paths: sendMediaFeishu(mediaUrl) and markdown image processing in Feishu DocX. An attacker who can influence tool calls or prompt injection can trigger requests to attacker-...

9.3CVSS5.9AI score0.00275EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/05 9:59 p.m.0 views

CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

8.3CVSS5.8AI score0.00275EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/05 9:59 p.m.5 views

EUVD-2026-9900

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

6.3CVSS5.9AI score0.00275EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/05 9:59 p.m.6 views

CVE-2026-28451

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

6.3CVSS5.9AI score0.00275EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/05 9:59 p.m.36 views

CVE-2026-28451 OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls...

8.3CVSS0.00275EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.7 views

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.14 had code-related vulnerabilities. These vulnerabilities stemmed from a server-side request forgeing vulnerability in the Feishu extension, which could allow attackers to obtain control of remote...

9.3CVSS5.8AI score0.00275EPSS
Exploits0References3
Rows per page
Query Builder