GHSA-M69H-JM2F-2PV8: GHSA-m69h-jm2f-2pv8: Authorization Bypass via Insecure Event Resolution in OpenClaw Feishu Extension
CVSS Score: Moderate Published: 2026-03-13 Full Report: https://cvereports.com/reports/GHSA-M69H-JM2F-2PV8
An authorization bypass vulnerability exists in the Feishu extension of the OpenClaw AI assistant framework. By exploiting an insecure default in the reaction event processing logic, attackers can trigger bot actions in restricted group contexts, bypassing mention gating and group authorization controls.
OpenClaw versions prior to 2026.3.12 contain a logic flaw in the Feishu extension where ambiguous chat types default to 'p2p' (peer-to-peer). This allows attackers to bypass group Access Control Lists (ACLs) and mention requirements by reacting to messages with manipulated webhook payloads.
- Attack Vector: Network
- Impact: Authorization Bypass
- Vulnerable Component: Feishu Extension (
resolveReactionSyntheticEvent) - Fixed Version: 2026.3.12
- Exploit Status: Unproven / Theoretical
- CWE ID: CWE-863 (Incorrect Authorization)
- OpenClaw AI assistant framework
- OpenClaw Feishu (Lark) Extension
- openclaw: < 2026.3.12 (Fixed in:
2026.3.12)
- Upgrade the openclaw package to the latest patched version.
- Implement restrictive webhook filtering at the reverse proxy layer.
- Disable reaction event subscriptions in the Feishu developer console as a temporary workaround.
Remediation Steps:
- Access the deployment environment where the OpenClaw application is hosted.
- Update the
openclawdependency inpackage.jsonto version>= 2026.3.12. - Execute
npm installoryarn installto pull the updated package. - Restart the OpenClaw application service to apply the updated logic.
- Verify the bot correctly drops reaction events that lack valid chat type metadata.
Generated by CVEReports - Automated Vulnerability Intelligence