Impact
OpenClaw versions prior to 2026.5.6 allow an authenticated sender to bypass the configured configuration‑write enforcement in Feishu dynamic‑agent bindings. The flaw, identified as a Weakness in Authorization (CWE‑863), lets the attacker create or update bindings that would normally be restricted, resulting in the ability to alter binding state beyond the intended policy.
Affected Systems
The vulnerability affects OpenClaw software, specifically all builds released before version 2026.5.6.
Risk and Exploitability
The CVSS score of 2.3 indicates low severity from a security standpoint. No EPSS score is reported and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with permission to use the dynamic‑agent binding feature, making the attack vector likely intra‑application. The risk to confidentiality, integrity, or availability is limited to unauthorized configuration changes and does not provide remote code execution or denial of service.
OpenCVE Enrichment