Executive Summary

CVE-2026-22178 is a vulnerability in OpenClaw versions prior to 2026.2.19 involving Regular Expression Denial of Service (ReDoS) and regex injection.

The issue occurs in the stripBotMention function, which constructs RegExp objects directly from unescaped Feishu mention metadata fields such as mention.name and mention.key.

Because the metadata is not properly escaped, attackers can inject malicious regex patterns containing nested quantifiers or metacharacters. This can cause catastrophic backtracking in the regex engine, leading to denial of service by blocking message processing or unintended removal of content before it is processed by the model.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to cause a denial of service (DoS) on systems using vulnerable OpenClaw versions.

Specifically, crafted Feishu mention metadata with malicious regex patterns can trigger catastrophic backtracking, which exhausts CPU resources and blocks message processing.

Additionally, regex injection can cause unintended removal or alteration of message content before it is processed by the model, potentially corrupting or altering data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from the construction of RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, which can be exploited by crafted mention metadata containing nested quantifiers or regex metacharacters.

To detect exploitation attempts or presence of this vulnerability on your system, you can monitor logs or message processing for symptoms of denial of service such as blocked message processing or unusually high CPU usage during message parsing.

Specifically, you can look for messages containing Feishu mention metadata fields (mention.name or mention.key) with suspicious regex metacharacters or nested quantifiers patterns.

While no explicit detection commands are provided in the resources, you might use commands to monitor CPU usage or logs for errors related to message processing delays or failures.

• Use system monitoring tools like `top` or `htop` to detect high CPU usage spikes during message processing.
• Check application logs for errors or warnings related to Feishu message parsing or regex failures.
• If you have access to the source or runtime environment, search for unescaped usage of RegExp construction on mention metadata fields, e.g., grep for `new RegExp(mention.name)` or `new RegExp(mention.key)` in the codebase.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.2.19 or later, where the vulnerability has been fixed by properly escaping regex metacharacters in Feishu mention metadata before constructing RegExp objects.

The fix involves escaping all regex metacharacters in mention.name and mention.key fields in the stripBotMention function, preventing regex injection and ReDoS attacks.

If immediate upgrade is not possible, consider applying the patches from commits `7e67ab75cc2f0e93569d12fecd1411c2961fcc8c` and `74268489137510b6f6349919d1e197b17290d92c` which implement the escaping logic.

• Upgrade OpenClaw to version 2026.2.19 or later.
• Apply the security patches that escape regex metacharacters in Feishu mention metadata.
• Monitor message processing for unusual delays or failures until the fix is applied.

Useful 0 Not Useful 0