This is a missing-authorization flaw (CWE-862) in OpenClaw's Feishu channel integration: a Feishu sender using dynamic-agent binding can create or update sender-agent bindings without the operator's configured config-write control being enforced, letting binding state drift from intended policy. The CVSS 3.1 score of 3.1 (AV:N/AC:H/PR:L/UI:N/C:N/I:L/A:N) reflects a narrow blast radius — only 4 downstream dependents, no EPSS score published, not in CISA KEV, and no public exploit or Nuclei template exist, so this is not an urgent, actively-exploited threat. Still, OpenClaw's advisory history is heavy (425 other CVEs tracked in the same package), and this specific class — a trusted-operator boundary silently not enforcing a configured control — is exactly the kind of gap that erodes confidence in multi-tenant Gateway deployments where mutually untrusted senders share a channel. Patch to 2026.5.6, and until then disable sender-created Feishu dynamic-agent bindings if the feature isn't in active use, keep channel/tool allowlists narrow, and avoid sharing one Gateway instance across untrusted user populations.
What is the risk?
Low severity per CVSS (3.1) — exploitability is constrained by AC:High and PR:Low (attacker must already hold some Feishu sender-level privilege to reach the path) and impact is limited to integrity of binding configuration (I:L), with no confidentiality or availability effect. No EPSS score, not in CISA KEV, no public exploit or Nuclei scanner coverage — no signal of active or imminent exploitation. Real-world risk concentrates in shared/multi-tenant OpenClaw Gateway deployments where Feishu dynamic-agent binding is enabled and reachable by lower-trust senders; single-tenant or disabled-feature deployments are effectively unaffected.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.5.5 | 2026.5.6 |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade to openclaw 2026.5.6 or later (first patched version). If immediate patching isn't possible, disable sender-created Feishu dynamic-agent bindings entirely until patched. General hardening: keep channel and tool allowlists narrow, don't share a single Gateway instance across mutually untrusted users/tenants, and audit sender-agent binding change logs for unexpected bindings as a detection signal — this is a logic bug with no CVE-specific IOC or signature a scanner would flag.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-3wqp-prf6-2m72?
This is a missing-authorization flaw (CWE-862) in OpenClaw's Feishu channel integration: a Feishu sender using dynamic-agent binding can create or update sender-agent bindings without the operator's configured config-write control being enforced, letting binding state drift from intended policy. The CVSS 3.1 score of 3.1 (AV:N/AC:H/PR:L/UI:N/C:N/I:L/A:N) reflects a narrow blast radius — only 4 downstream dependents, no EPSS score published, not in CISA KEV, and no public exploit or Nuclei template exist, so this is not an urgent, actively-exploited threat. Still, OpenClaw's advisory history is heavy (425 other CVEs tracked in the same package), and this specific class — a trusted-operator boundary silently not enforcing a configured control — is exactly the kind of gap that erodes confidence in multi-tenant Gateway deployments where mutually untrusted senders share a channel. Patch to 2026.5.6, and until then disable sender-created Feishu dynamic-agent bindings if the feature isn't in active use, keep channel/tool allowlists narrow, and avoid sharing one Gateway instance across untrusted user populations.
Is GHSA-3wqp-prf6-2m72 actively exploited?
No confirmed active exploitation of GHSA-3wqp-prf6-2m72 has been reported, but organizations should still patch proactively.
How to fix GHSA-3wqp-prf6-2m72?
Upgrade to openclaw 2026.5.6 or later (first patched version). If immediate patching isn't possible, disable sender-created Feishu dynamic-agent bindings entirely until patched. General hardening: keep channel and tool allowlists narrow, don't share a single Gateway instance across mutually untrusted users/tenants, and audit sender-agent binding change logs for unexpected bindings as a detection signal — this is a logic bug with no CVE-specific IOC or signature a scanner would flag.
What systems are affected by GHSA-3wqp-prf6-2m72?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks.
What is the CVSS score for GHSA-3wqp-prf6-2m72?
GHSA-3wqp-prf6-2m72 has a CVSS v3.1 base score of 3.1 (LOW).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Feishu dynamic-agent bindings could miss configWrites enforcement. In affected versions, a Feishu sender using dynamic-agent binding behavior could create or update bindings without honoring the configured config-write control. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could change sender-agent binding state beyond the intended policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.6`. ### Mitigations Disable sender-created Feishu dynamic-agent bindings until patched if not needed. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
Exploitation Scenario
In a shared OpenClaw Gateway deployment with the Feishu connector and dynamic-agent binding enabled, a low-privilege Feishu sender (e.g., a workspace member who is not an authorized Gateway operator) triggers the agent-binding creation/update path. Because the configured config-write control isn't enforced on this path, the request succeeds despite policy intending to block it, and the sender's channel is now bound to an agent configuration outside the intended policy — potentially one with broader tool access. This lets the sender influence which agent handles their messages going forward, without ever crossing the classic 'authenticated operator' trust boundary OpenClaw otherwise assumes.
Weaknesses (CWE)
CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw