Primary

Context

OpenClaw Path Traversal Vulnerability in Feishu Extension Allowing Arbitrary File Read

Vulnerability

A path traversal vulnerability has been identified in OpenClaw versions 2026.2.6 prior to 2026.3.24. The issue resides in the Feishu extension's resolveUploadInput function, where improper path resolution during upload_image operations can bypass file-system sandbox restrictions. This vulnerability allows attackers to read arbitrary files outside the designated localRoots boundaries.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of files from the host system, bypassing workspace or localRoots path restrictions.

Remediation

Users can upgrade to OpenClaw version 2026.3.28 or later, where this vulnerability has been patched.

Added: Apr 28, 2026, 12:27 AM

Updated: Apr 28, 2026, 12:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

5.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

5.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Path Traversal Vulnerability in Feishu Extension Allowing Arbitrary File Read

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating