OpenClaw's Feishu docx upload functionality (upload_file/upload_image) fails to enforce workspace-only filesystem restrictions, allowing reads of arbitrary local files — and this is an incomplete fix of a prior vulnerability (GHSA-qf48-qfv4-jjm9), meaning the boundary was already broken once before. While CVSS is unscored and no public exploit exists, local AI agents typically run with broad user-level filesystem access, putting SSH keys, .env files, API tokens, and browser credentials in scope for any user who processed attacker-controlled Feishu documents. The 60 prior CVEs in the openclaw package and AIID #1368 (malicious OpenClaw skills delivering AMOS credential stealers via ClawHub) establish a clear pattern of poor security boundaries in this ecosystem. Patch to 2026.4.8 immediately; if patching is delayed, disable Feishu docx upload features or apply OS-level sandboxing to restrict agent filesystem access.
What is the risk?
Low CVSS severity, but the scoped severity understates real-world risk for local AI agents. Any workspace policy bypass on an agent with broad filesystem permissions is a credential-exposure event on developer workstations. The incomplete-fix pattern (second attempt to close the same class of bug) signals systemic weakness in boundary enforcement — not an isolated slip. No active exploitation confirmed, no CISA KEV listing, no EPSS data available. Risk escalates significantly if openclaw agents run in environments where sensitive credentials are stored locally, which is nearly universal among developers and security practitioners who are the likely user base.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.8 | 2026.4.8 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: Upgrade openclaw to >= 2026.4.8 immediately.
-
Verify fix: Confirm commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 is included in the installed version.
-
Workaround (if patching delayed): Disable Feishu docx upload functionality — block or remove upload_file and upload_image tool access in agent configuration.
-
Defense-in-depth: Run openclaw under OS-level sandboxing (macOS App Sandbox, Linux seccomp/AppArmor) to enforce filesystem restrictions at the kernel level, independent of application policy.
-
Audit: If Feishu upload features were used in affected versions, review local file access logs for anomalous reads outside expected workspace directories.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-5fc7-f62m-8983?
OpenClaw's Feishu docx upload functionality (upload_file/upload_image) fails to enforce workspace-only filesystem restrictions, allowing reads of arbitrary local files — and this is an incomplete fix of a prior vulnerability (GHSA-qf48-qfv4-jjm9), meaning the boundary was already broken once before. While CVSS is unscored and no public exploit exists, local AI agents typically run with broad user-level filesystem access, putting SSH keys, .env files, API tokens, and browser credentials in scope for any user who processed attacker-controlled Feishu documents. The 60 prior CVEs in the openclaw package and AIID #1368 (malicious OpenClaw skills delivering AMOS credential stealers via ClawHub) establish a clear pattern of poor security boundaries in this ecosystem. Patch to 2026.4.8 immediately; if patching is delayed, disable Feishu docx upload features or apply OS-level sandboxing to restrict agent filesystem access.
Is GHSA-5fc7-f62m-8983 actively exploited?
No confirmed active exploitation of GHSA-5fc7-f62m-8983 has been reported, but organizations should still patch proactively.
How to fix GHSA-5fc7-f62m-8983?
1. Patch: Upgrade openclaw to >= 2026.4.8 immediately. 2. Verify fix: Confirm commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5 is included in the installed version. 3. Workaround (if patching delayed): Disable Feishu docx upload functionality — block or remove upload_file and upload_image tool access in agent configuration. 4. Defense-in-depth: Run openclaw under OS-level sandboxing (macOS App Sandbox, Linux seccomp/AppArmor) to enforce filesystem restrictions at the kernel level, independent of application policy. 5. Audit: If Feishu upload features were used in affected versions, review local file access logs for anomalous reads outside expected workspace directories.
What systems are affected by GHSA-5fc7-f62m-8983?
This vulnerability affects the following AI/ML architecture patterns: local AI agent deployments, agent frameworks with external document integrations, Feishu/Lark collaboration tool integrations.
What is the CVSS score for GHSA-5fc7-f62m-8983?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0053 AI Agent Tool Invocation AML.T0083 Credentials from AI Agent Configuration AML.T0086 Exfiltration via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
## Impact Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix). Feishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=2026.4.3` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @Rosayxy for reporting.
Exploitation Scenario
An attacker shares a malicious Feishu document with a target OpenClaw user — for example, via a collaboration workspace or phishing link. The docx contains specially crafted upload_file or upload_image blocks referencing arbitrary local paths (e.g., ~/.ssh/id_rsa, .env containing API keys, ~/.aws/credentials). When OpenClaw's agent processes the document and invokes the Feishu upload tool, it reads the referenced local file without enforcing the workspace boundary restriction. The file contents are embedded in the upload request, effectively using OpenClaw as a local file exfiltration proxy that tunnels sensitive data to Feishu's infrastructure — a service the victim likely trusts and does not monitor for data loss.
Weaknesses (CWE)
CWE-732 — Incorrect Permission Assignment for Critical Resource: The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
- [Implementation] When using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207]
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw