← volver
CVE-2026-28451

OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching

CVSS 6.3 MEDIUMEPSS 0.3%CWE-918
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
05 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls through direct manipulation or prompt injection to trigger requests to internal services and re-upload responses as Feishu media.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Productos afectados
OpenClaw · OpenClaw

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5dhttps://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49mhttps://www.vulncheck.com/advisories/openclaw-ssrf-via-feishu-extension-media-fetching