OpenClaw: Feishu Mention Data Can Cause Message Corruption or Slowdowns

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

OpenClaw: Feishu Mention Data Can Cause Message Corruption or Slowdowns

GHSA-c6hr-w26q-c636

Summary

A security issue in OpenClaw allows an attacker to manipulate message content or slow down message processing if they can control Feishu mention metadata. This can happen if you're using OpenClaw versions 2026.2.6 to 2026.2.17. To fix this, update to version 2026.2.19.

What to do

Update openclaw to version 2026.2.19.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.2.19	2026.2.19

Original title

OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction

Original description

## Summary

`extensions/feishu/src/bot.ts` constructed `new RegExp()` directly from Feishu mention metadata (`mention.name`, `mention.key`) in `stripBotMention()` without escaping regex metacharacters.

## Affected Packages / Versions

- Package: npm `openclaw`
- Affected versions: `<= 2026.2.17`
- First affected release: `2026.2.6`
- Patched version: `2026.2.19`

## Impact

- ReDoS: crafted nested-quantifier patterns in mention metadata can trigger catastrophic backtracking and block message processing.
- Regex injection: metacharacters in mention metadata can remove unintended message content before it is sent to the model.

## Fix Commit(s)

- `7e67ab75cc2f0e93569d12fecd1411c2961fcc8c`
- `74268489137510b6f6349919d1e197b17290d92c`

Thanks @allsmog for reporting.

ghsa CVSS4.0 6.9

Vulnerability type

CWE-1333 Inefficient Regular Expression Complexity (ReDoS)

Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026