CVE-2026-22178

OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c	Patch
https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

19 Mar 2026, 16:07

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
References	~~() https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c -~~	() https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c - Patch
References	~~() https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c -~~	() https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata -~~	() https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata - Third Party Advisory
First Time		Openclaw openclaw Openclaw

18 Mar 2026, 14:52

Type	Values Removed	Values Added
Summary		(es) Las versiones de OpenClaw anteriores a la 2026.2.19 construyen objetos RegExp directamente a partir de metadatos de menciones de Feishu sin escapar en la función stripBotMention, lo que permite la inyección de expresiones regulares y la denegación de servicio. Los atacantes pueden crear patrones de cuantificadores anidados o metacaracteres en los metadatos de las menciones para desencadenar un retroceso catastrófico, bloquear el procesamiento de mensajes o eliminar contenido no deseado antes del procesamiento del modelo.

18 Mar 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 02:16

Updated : 2026-03-19 16:07

NVD link : CVE-2026-22178

Mitre link : CVE-2026-22178

CVE.ORG link : CVE-2026-22178

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-1333

Inefficient Regular Expression Complexity

6.5 /10