Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw: Malicious Feishu Metadata Can Block Message Processing
GHSA-c6hr-w26q-c636
CVE-2026-22178
Summary
OpenClaw, a software, has a security issue that can cause it to block message processing if it receives specially crafted metadata from Feishu. This is because the software does not properly escape certain characters in the metadata, which can be used to create a denial-of-service attack. To fix this issue, update OpenClaw to version 2026.2.19 or later.
What to do
- Update steipete openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.19 | 2026.2.19 |
Original title
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attack...
Original description
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.
osv CVSS4.0
7.8
Vulnerability type
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
- https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636 URL
- https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290... URL
- https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961f... URL
- https://github.com/openclaw/openclaw Product
- https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unes...
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026