CVE-2026-22178HIGH 8.2EPSS p22.6%

CVE-2026-22178CVE-2026-22178

Description

OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS0.31% probability of exploitation · percentile 22.6% · 2026-06-19T12:03:05Z
Published2026-03-18
Last modified2026-03-19

Underlying weaknesses· 1

CWE-1333

References

  1. https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c
  2. https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c
  3. https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636
  4. https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata

1

TypeTargetConfidenceTier
WeaknessInefficient Regular Expression Complexitycwe-13330%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32924
CVE
CVE-2026-28448
CVE
CVE-2026-34507
CVE
CVE-2026-35670
CVE
CVE-2026-28451
CVE
CVE-2026-28454
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.