DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-G353-MGV3-8PCJ: GHSA-G353-MGV3-8PCJ: Authentication Bypass via Forged Webhook Events in OpenClaw Feishu Integration

#security #cve #cybersecurity #ghsa

GHSA-G353-MGV3-8PCJ: Authentication Bypass via Forged Webhook Events in OpenClaw Feishu Integration

Vulnerability ID: GHSA-G353-MGV3-8PCJ
CVSS Score: 8.6
Published: 2026-03-13

OpenClaw versions prior to 2026.3.12 contain a high-severity authentication bypass vulnerability in the Feishu channel integration. When configured in webhook mode without an encryption key, the system relies solely on a static plaintext token, allowing unauthenticated remote attackers to inject forged events and execute unauthorized actions.

TL;DR

OpenClaw < 2026.3.12 is vulnerable to event forgery in its Feishu webhook integration due to missing mandatory encryption validation, allowing arbitrary command execution.

⚠️ Exploit Status: POC

Technical Details

  • CVSS Score: 8.6 (High)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
  • CWE ID: CWE-290, CWE-345
  • Attack Vector: Network
  • Privileges Required: None
  • Exploit Status: PoC / Active

Affected Systems

  • OpenClaw Feishu (Lark) Channel Integration
  • OpenClaw Webhook Listener
  • openclaw: < 2026.3.12 (Fixed in: 2026.3.12)

Code Analysis

Commit: 7844bc8

Fix: enforce encryptKey requirement for Feishu webhook mode

Exploit Details

  • GitHub Advisory: Details regarding the verification token bypass methodology.

Mitigation Strategies

  • Upgrade OpenClaw core to version 2026.3.12 or newer.
  • Enforce AES payload encryption in the Feishu Open Platform console.
  • Migrate from webhook connection mode to websocket connection mode if inbound HTTP routing is not strictly required.

Remediation Steps:

  1. Navigate to the Feishu Open Platform console for your registered application.
  2. Select 'Development', then 'Events & Callbacks', and locate the 'Encryption' section.
  3. Generate and copy the 'Encrypt Key'.
  4. Update the openclaw.json configuration file to include the 'encryptKey' property.
  5. Restart the OpenClaw service to apply the configuration validation.
  6. Verify the application boots successfully and test event reception.

References

Read the full report for GHSA-G353-MGV3-8PCJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)