DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-77W2-CRQV-CMV3: GHSA-77W2-CRQV-CMV3: Authorization Bypass via Legacy Card Callbacks in OpenClaw Feishu Integration

#security #cve #cybersecurity #ghsa

GHSA-77W2-CRQV-CMV3: Authorization Bypass via Legacy Card Callbacks in OpenClaw Feishu Integration

Vulnerability ID: GHSA-77W2-CRQV-CMV3
CVSS Score: 5.3
Published: 2026-03-29

An authorization bypass vulnerability in the OpenClaw Feishu integration permits attackers to execute privileged commands. By crafting legacy interactive cards that lack modern structure markers, attackers can bypass the Direct Message (DM) pairing security checks.

TL;DR

OpenClaw versions prior to 2026.3.26 fail to enforce Direct Message (DM) pairing validation on legacy Feishu interactive card callbacks, allowing unauthorized users to execute privileged commands.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Improper Authorization (CWE-285)
  • Component: openclaw npm package
  • Attack Vector: Network (Crafted JSON Card)
  • Severity: Medium
  • Exploit Status: Proof of Concept
  • Fix Availability: Available in version 2026.3.26

Affected Systems

  • OpenClaw Feishu Channel Integration
  • openclaw: < 2026.3.26 (Fixed in: 2026.3.26)

Code Analysis

Commit: 81c4597

Implement egress filtering in Feishu channel to block legacy interactive elements missing structured envelopes.

Added containsLegacyFeishuCardCommandValue and hasLegacyFeishuCardCommandValue in extensions/feishu/src/channel.ts.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the openclaw package to version 2026.3.26 or later.
  • Enforce DM pairing across all channels by setting the dmPolicy to 'pairing'.
  • Audit custom integration logic to ensure outbound card components utilize modern structured interaction envelopes.

Remediation Steps:

  1. Identify all Node.js projects utilizing the openclaw dependency.
  2. Update package.json to require "openclaw": ">=2026.3.26".
  3. Run package manager update commands (e.g., npm install or yarn upgrade).
  4. Validate that any local Feishu card generation templates use the 'oc' version specifier for interaction properties.
  5. Restart the OpenClaw service instances to apply the patch.

References

Read the full report for GHSA-77W2-CRQV-CMV3 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)