DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-M69H-JM2F-2PV8: GHSA-m69h-jm2f-2pv8: Authorization Bypass via Insecure Event Resolution in OpenClaw Feishu Extension

#security #cve #cybersecurity #ghsa

GHSA-m69h-jm2f-2pv8: Authorization Bypass via Insecure Event Resolution in OpenClaw Feishu Extension

Vulnerability ID: GHSA-M69H-JM2F-2PV8
CVSS Score: Moderate
Published: 2026-03-13

An authorization bypass vulnerability exists in the Feishu extension of the OpenClaw AI assistant framework. By exploiting an insecure default in the reaction event processing logic, attackers can trigger bot actions in restricted group contexts, bypassing mention gating and group authorization controls.

TL;DR

OpenClaw versions prior to 2026.3.12 contain a logic flaw in the Feishu extension where ambiguous chat types default to 'p2p' (peer-to-peer). This allows attackers to bypass group Access Control Lists (ACLs) and mention requirements by reacting to messages with manipulated webhook payloads.

Technical Details

  • Attack Vector: Network
  • Impact: Authorization Bypass
  • Vulnerable Component: Feishu Extension (resolveReactionSyntheticEvent)
  • Fixed Version: 2026.3.12
  • Exploit Status: Unproven / Theoretical
  • CWE ID: CWE-863 (Incorrect Authorization)

Affected Systems

  • OpenClaw AI assistant framework
  • OpenClaw Feishu (Lark) Extension
  • openclaw: < 2026.3.12 (Fixed in: 2026.3.12)

Code Analysis

Commit: 3e730c0

Security patch addressing authorization bypass in Feishu synthetic reaction events.

Mitigation Strategies

  • Upgrade the openclaw package to the latest patched version.
  • Implement restrictive webhook filtering at the reverse proxy layer.
  • Disable reaction event subscriptions in the Feishu developer console as a temporary workaround.

Remediation Steps:

  1. Access the deployment environment where the OpenClaw application is hosted.
  2. Update the openclaw dependency in package.json to version >= 2026.3.12.
  3. Execute npm install or yarn install to pull the updated package.
  4. Restart the OpenClaw application service to apply the updated logic.
  5. Verify the bot correctly drops reaction events that lack valid chat type metadata.

References

Read the full report for GHSA-M69H-JM2F-2PV8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)