Description
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access.
Published: 2026-03-19
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access. The primary impact is the attacker achieving unauthorized access to the system, potentially compromising confidential data and system integrity.

Affected Systems

Affectees include OpenClaw software with any version earlier than 2026.2.22. No further version granularity is specified, so all installations of OpenClaw pre‑2026.2.22 are impacted.

Risk and Exploitability

The CVSS score is 6.3, indicating a moderate risk level. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit this remotely by sending a crafted request that includes a display name mimicking an allowlisted ID, thereby elevating privileges and bypassing authentication.

Generated by OpenCVE AI on March 19, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.22 or later.
  • Verify that the Feishu allowFrom configuration strictly matches ID values and does not accept display names.
  • Monitor application logs for anomalies related to unauthorized access attempts.
  • Apply additional network segmentation or authentication controls as a temporary safeguard until the patch is applied.

Generated by OpenCVE AI on March 19, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j4xf-96qf-rx69 OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
History

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access.
Title OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T15:33:08.929Z

Reserved: 2026-03-10T19:48:40.708Z

Link: CVE-2026-32021

cve-icon Vulnrichment

Updated: 2026-03-20T17:02:34.039Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T22:16:36.103

Modified: 2026-03-25T15:16:44.740

Link: CVE-2026-32021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:24Z

Weaknesses