GHSA-G353-MGV3-8PCJ: GHSA-G353-MGV3-8PCJ: Authentication Bypass via Forged Webhook Events in OpenClaw Feishu Integration
CVSS Score: 8.6 Published: 2026-03-13 Full Report: https://cvereports.com/reports/GHSA-G353-MGV3-8PCJ
OpenClaw versions prior to 2026.3.12 contain a high-severity authentication bypass vulnerability in the Feishu channel integration. When configured in webhook mode without an encryption key, the system relies solely on a static plaintext token, allowing unauthenticated remote attackers to inject forged events and execute unauthorized actions.
OpenClaw < 2026.3.12 is vulnerable to event forgery in its Feishu webhook integration due to missing mandatory encryption validation, allowing arbitrary command execution.
- CVSS Score: 8.6 (High)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
- CWE ID: CWE-290, CWE-345
- Attack Vector: Network
- Privileges Required: None
- Exploit Status: PoC / Active
- OpenClaw Feishu (Lark) Channel Integration
- OpenClaw Webhook Listener
- openclaw: < 2026.3.12 (Fixed in:
2026.3.12)
- Upgrade OpenClaw core to version 2026.3.12 or newer.
- Enforce AES payload encryption in the Feishu Open Platform console.
- Migrate from webhook connection mode to websocket connection mode if inbound HTTP routing is not strictly required.
Remediation Steps:
- Navigate to the Feishu Open Platform console for your registered application.
- Select 'Development', then 'Events & Callbacks', and locate the 'Encryption' section.
- Generate and copy the 'Encrypt Key'.
- Update the openclaw.json configuration file to include the 'encryptKey' property.
- Restart the OpenClaw service to apply the configuration validation.
- Verify the application boots successfully and test event reception.
- GitHub Security Advisory GHSA-G353-MGV3-8PCJ
- Fix Commit 7844bc89a1612800810617c823eb0c76ef945804
- Pull Request 44087
- OpenClaw v2026.3.12 Release Notes
Generated by CVEReports - Automated Vulnerability Intelligence