Untriaged
Permalink
CVE-2026-22178
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): LOW
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.
References
- Patch Commit #1 patch
- Patch Commit #2 patch
- VulnCheck Advisory: OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata third-party-advisory
- GitHub Security Advisory (GHSA-c6hr-w26q-c636) third-party-advisory
Affected products
OpenClaw
- <2026.2.19
- ==2026.2.19
Package maintainers
-
@chrisportela Chris Portela <chris@chrisportela.com>