Description
OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group chat reaction-derived events.
Published: 2026-03-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via misclassified reaction events
Action: Patch Now
AI Analysis

Impact

OpenClaw before 2026.3.12 contains an authorization bypass that occurs when Feishu reaction events omit the 'chat_type' field. The missing field causes the system to treat the event as a peer‑to‑peer conversation instead of a group chat, allowing the attacker to trigger group‑level protections such as groupAllowFrom and requireMention without appropriate authorization.

Affected Systems

This issue affects the OpenClaw application installed on any Node.js runtime with a version earlier than 2026.3.12. All deployments using the earlier releases are susceptible until the application is updated.

Risk and Exploitability

The CVSS score is 6.9, indicating a high impact when exploitation succeeds. EPSS data is not available, and the vulnerability is not listed in the KEV catalog. The exploit requires the attacker to send a crafted Feishu reaction event that lacks the chat_type value, a scenario that can be achieved remotely if the target has internet connectivity and can receive Feishu events. No additional prerequisites are noted, making the vulnerability relatively straightforward to exploit for an attacker who can generate such events.

Generated by OpenCVE AI on March 29, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.12 or later.
  • Verify after upgrade that groupAllowFrom and requireMention protections are operating as intended.

Generated by OpenCVE AI on March 29, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group chat reaction-derived events.
Title OpenClaw < 2026.3.12 - Authorization Bypass via Misclassified Reaction Events in Feishu
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:52:22.363Z

Reserved: 2026-03-16T21:19:31.966Z

Link: CVE-2026-32924

cve-icon Vulnrichment

Updated: 2026-03-30T12:50:36.261Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T13:17:00.963

Modified: 2026-03-31T17:57:06.213

Link: CVE-2026-32924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:22Z

Weaknesses