CVE-2026-22178
Published: 18 March 2026
Summary
CVE-2026-22178 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the vulnerability by applying the vendor patch in OpenClaw 2026.2.19 that fixes regex construction from unescaped metadata.
Information input validation ensures Feishu mention metadata is sanitized or validated before use in RegExp construction, preventing regex injection.
Denial-of-service protection limits effects of catastrophic backtracking by enforcing resource limits and detecting excessive processing in the regex engine.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application-layer DoS via regex injection and catastrophic backtracking (CWE-1333) in message processing; secondary low-integrity content manipulation also possible.
NVD Description
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block…
more
message processing, or remove unintended content before model processing.
Deeper analysisAI
CVE-2026-22178 is a regex injection and denial-of-service vulnerability in OpenClaw versions prior to 2026.2.19. It occurs in the stripBotMention function, where RegExp objects are constructed directly from unescaped Feishu mention metadata. This flaw, classified under CWE-1333 (Inefficient Regular Expression Complexity), enables attackers to inject malicious patterns, with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit the vulnerability by crafting mention metadata containing nested-quantifier patterns or metacharacters. Successful exploitation triggers catastrophic backtracking in the regex engine, causing denial of service through blocked message processing. Additionally, attackers can remove unintended content before it reaches model processing, resulting in low integrity and availability impacts.
Mitigation is addressed in OpenClaw version 2026.2.19 and later via patches in GitHub commits 74268489137510b6f6349919d1e197b17290d92c and 7e67ab75cc2f0e93569d12fecd1411c2961fcc8c. Further details on the fix and impacts are provided in the GitHub security advisory GHSA-c6hr-w26q-c636 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata.
Details
- CWE(s)