OpenClaw Feishu Extension Local File Disclosure Vulnerability

A local file disclosure vulnerability has been identified in the OpenClaw Feishu extension, prior to version 2026.2.14. The issue arises because the 'sendMediaFeishu' function allowed attacker-controlled 'mediaUrl' values to be interpreted as local filesystem paths, enabling direct access to those files. This vulnerability could be exploited by supplying paths like '/etc/passwd' to exfiltrate local files. The problem could be triggered by influencing tool calls, either directly or through prompt injection.

Impact

Exploitation of this vulnerability could lead to unauthorized access and disclosure of local files, including sensitive system files such as '/etc/passwd'.

Reproduction

To reproduce this vulnerability, use the OpenClaw Feishu extension version prior to 2026.2.14. Send a media URL through the 'sendMediaFeishu' function that includes a path to a local file, such as '/etc/passwd'. The extension will read the file and return its contents, demonstrating the local file disclosure.

Remediation

Upgrade to OpenClaw version 2026.2.14 or newer. The patched version removes direct reads of local files from the 'mediaUrl' parameter and instead uses secured methods that enforce restrictions, allowing only files from the user's workspace to be accessed.