AI Threat Alert
GHSA-72q8-jcmc-97wx: openclaw: DM policy bypass via Feishu card-action callbacks
GHSA-72q8-jcmc-97wx MEDIUMOpenClaw's Feishu integration incorrectly classified direct-message card-action callbacks as group-conversation events, allowing any sender in a Feishu DM to trigger agent flows that a restrictive dmPolicy should have blocked. With 135 prior CVEs in this package, openclaw carries a notable vulnerability history for an AI agent framework—though this specific issue affects only organizations using the Feishu connector and is rated medium severity with no public exploit, no KEV listing, and only 4 downstream dependents. There is no evidence of active exploitation, keeping this in the patch-and-monitor category rather than an emergency response. Upgrade to openclaw 2026.4.20 and audit any Feishu-connected deployments to confirm dmPolicy enforcement is active post-patch.
What is the risk?
Medium risk overall. The authorization bypass is bounded to the Feishu card-action surface and requires the attacker to already be in a DM conversation with the target's OpenClaw-connected Feishu workspace—limiting exposure to authenticated insiders or social-engineering scenarios. No CVSS vector, no EPSS data, and zero public exploits lower urgency. However, openclaw's 135-CVE history and AI agent context (where unauthorized action execution can have downstream consequences beyond a typical web app) justify prompt patching for any organization using this connector.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.20 | 2026.4.20 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw npm package to version 2026.4.20 immediately.
-
Review all active Feishu card-action definitions and confirm which trigger privileged agent behaviors.
-
Audit recent DM-originated card-action invocations in logs for any anomalous executions that should have been blocked by dmPolicy.
-
As a temporary workaround prior to patching, disable or restrict Feishu card-action handlers in DM contexts via configuration if the framework allows it.
-
Validate that post-patch dmPolicy enforcement correctly blocks the previously affected flows by testing with a DM-originated card-action event.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-72q8-jcmc-97wx?
OpenClaw's Feishu integration incorrectly classified direct-message card-action callbacks as group-conversation events, allowing any sender in a Feishu DM to trigger agent flows that a restrictive dmPolicy should have blocked. With 135 prior CVEs in this package, openclaw carries a notable vulnerability history for an AI agent framework—though this specific issue affects only organizations using the Feishu connector and is rated medium severity with no public exploit, no KEV listing, and only 4 downstream dependents. There is no evidence of active exploitation, keeping this in the patch-and-monitor category rather than an emergency response. Upgrade to openclaw 2026.4.20 and audit any Feishu-connected deployments to confirm dmPolicy enforcement is active post-patch.
Is GHSA-72q8-jcmc-97wx actively exploited?
No confirmed active exploitation of GHSA-72q8-jcmc-97wx has been reported, but organizations should still patch proactively.
How to fix GHSA-72q8-jcmc-97wx?
1. Upgrade openclaw npm package to version 2026.4.20 immediately. 2. Review all active Feishu card-action definitions and confirm which trigger privileged agent behaviors. 3. Audit recent DM-originated card-action invocations in logs for any anomalous executions that should have been blocked by dmPolicy. 4. As a temporary workaround prior to patching, disable or restrict Feishu card-action handlers in DM contexts via configuration if the framework allows it. 5. Validate that post-patch dmPolicy enforcement correctly blocks the previously affected flows by testing with a DM-originated card-action event.
What systems are affected by GHSA-72q8-jcmc-97wx?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, messaging platform integrations, enterprise AI assistants.
What is the CVSS score for GHSA-72q8-jcmc-97wx?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0107 Exploitation for Defense Evasion Compliance Controls Affected
What are the technical details?
Original Advisory
## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy. The issue is limited to Feishu card-action handling. Severity is medium. ## Fix OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs. Fix commit: - `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166` ## Release Fixed in OpenClaw `2026.4.20`.
Exploitation Scenario
An attacker with a Feishu account shares a crafted card message into a direct message conversation with a user whose workspace runs an OpenClaw AI agent. The card contains an action button wired to a sensitive workflow—such as querying internal databases or executing an approval flow. Pre-patch, OpenClaw misclassifies the DM callback as a group event and dispatches the action without checking dmPolicy, so the attacker successfully invokes an agent workflow that should be restricted to group channels. The attacker can repeat this across any card-action-capable flow the agent supports, all from an unprivileged DM context.
Weaknesses (CWE)
CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw