GHSA-3wqp-prf6-2m72: OpenClaw: Feishu agent-binding auth bypass

GHSA-3wqp-prf6-2m72 LOW
Published July 2, 2026
CISO Take

This is a missing-authorization flaw (CWE-862) in OpenClaw's Feishu channel integration: a Feishu sender using dynamic-agent binding can create or update sender-agent bindings without the operator's configured config-write control being enforced, letting binding state drift from intended policy. The CVSS 3.1 score of 3.1 (AV:N/AC:H/PR:L/UI:N/C:N/I:L/A:N) reflects a narrow blast radius — only 4 downstream dependents, no EPSS score published, not in CISA KEV, and no public exploit or Nuclei template exist, so this is not an urgent, actively-exploited threat. Still, OpenClaw's advisory history is heavy (425 other CVEs tracked in the same package), and this specific class — a trusted-operator boundary silently not enforcing a configured control — is exactly the kind of gap that erodes confidence in multi-tenant Gateway deployments where mutually untrusted senders share a channel. Patch to 2026.5.6, and until then disable sender-created Feishu dynamic-agent bindings if the feature isn't in active use, keep channel/tool allowlists narrow, and avoid sharing one Gateway instance across untrusted user populations.

Sources: GitHub Advisory ATLAS

What is the risk?

Low severity per CVSS (3.1) — exploitability is constrained by AC:High and PR:Low (attacker must already hold some Feishu sender-level privilege to reach the path) and impact is limited to integrity of binding configuration (I:L), with no confidentiality or availability effect. No EPSS score, not in CISA KEV, no public exploit or Nuclei scanner coverage — no signal of active or imminent exploitation. Real-world risk concentrates in shared/multi-tenant OpenClaw Gateway deployments where Feishu dynamic-agent binding is enabled and reachable by lower-trust senders; single-tenant or disabled-feature deployments are effectively unaffected.

How does the attack unfold?

Initial Access
A Feishu sender with some existing channel-level privilege (PR:L) reaches the OpenClaw Gateway's dynamic-agent binding feature over the Feishu channel.
Exploitation
The sender creates or updates a sender-agent binding; the configured config-write control is not enforced on this path (CWE-862), so the unauthorized change succeeds.
AML.T0081
Impact
Sender-agent binding state diverges from intended policy, potentially routing the sender's conversation to an agent with a different tool allowlist or trust level than the operator configured.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.5.5 2026.5.6
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
3.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

1 step
  1. Upgrade to openclaw 2026.5.6 or later (first patched version). If immediate patching isn't possible, disable sender-created Feishu dynamic-agent bindings entirely until patched. General hardening: keep channel and tool allowlists narrow, don't share a single Gateway instance across mutually untrusted users/tenants, and audit sender-agent binding change logs for unexpected bindings as a detection signal — this is a logic bug with no CVE-specific IOC or signature a scanner would flag.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.8.3 - AI system operation and monitoring
NIST AI RMF
MEASURE-2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-3wqp-prf6-2m72?

This is a missing-authorization flaw (CWE-862) in OpenClaw's Feishu channel integration: a Feishu sender using dynamic-agent binding can create or update sender-agent bindings without the operator's configured config-write control being enforced, letting binding state drift from intended policy. The CVSS 3.1 score of 3.1 (AV:N/AC:H/PR:L/UI:N/C:N/I:L/A:N) reflects a narrow blast radius — only 4 downstream dependents, no EPSS score published, not in CISA KEV, and no public exploit or Nuclei template exist, so this is not an urgent, actively-exploited threat. Still, OpenClaw's advisory history is heavy (425 other CVEs tracked in the same package), and this specific class — a trusted-operator boundary silently not enforcing a configured control — is exactly the kind of gap that erodes confidence in multi-tenant Gateway deployments where mutually untrusted senders share a channel. Patch to 2026.5.6, and until then disable sender-created Feishu dynamic-agent bindings if the feature isn't in active use, keep channel/tool allowlists narrow, and avoid sharing one Gateway instance across untrusted user populations.

Is GHSA-3wqp-prf6-2m72 actively exploited?

No confirmed active exploitation of GHSA-3wqp-prf6-2m72 has been reported, but organizations should still patch proactively.

How to fix GHSA-3wqp-prf6-2m72?

Upgrade to openclaw 2026.5.6 or later (first patched version). If immediate patching isn't possible, disable sender-created Feishu dynamic-agent bindings entirely until patched. General hardening: keep channel and tool allowlists narrow, don't share a single Gateway instance across mutually untrusted users/tenants, and audit sender-agent binding change logs for unexpected bindings as a detection signal — this is a logic bug with no CVE-specific IOC or signature a scanner would flag.

What systems are affected by GHSA-3wqp-prf6-2m72?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks.

What is the CVSS score for GHSA-3wqp-prf6-2m72?

GHSA-3wqp-prf6-2m72 has a CVSS v3.1 base score of 3.1 (LOW).

What is the AI security impact?

Affected AI Architectures

agent frameworks

MITRE ATLAS Techniques

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

ISO 42001: A.8.3
NIST AI RMF: MEASURE-2.7
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

### Summary Feishu dynamic-agent bindings could miss configWrites enforcement. In affected versions, a Feishu sender using dynamic-agent binding behavior could create or update bindings without honoring the configured config-write control. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could change sender-agent binding state beyond the intended policy. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.6`. ### Mitigations Disable sender-created Feishu dynamic-agent bindings until patched if not needed. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Exploitation Scenario

In a shared OpenClaw Gateway deployment with the Feishu connector and dynamic-agent binding enabled, a low-privilege Feishu sender (e.g., a workspace member who is not an authorized Gateway operator) triggers the agent-binding creation/update path. Because the configured config-write control isn't enforced on this path, the request succeeds despite policy intending to block it, and the sender's channel is now bound to an agent configuration outside the intended policy — potentially one with broader tool access. This lets the sender influence which agent handles their messages going forward, without ever crossing the classic 'authenticated operator' trust boundary OpenClaw otherwise assumes.

Weaknesses (CWE)

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities