OpenClaw Authorization Bypass Vulnerability in Feishu Allowlist Implementation
Vulnerability
A vulnerability allowing authorization bypass has been identified in OpenClaw versions prior to 2026.2.22. This issue arises in the Feishu allowFrom allowlist implementation, which incorrectly accepts mutable sender display names instead of enforcing ID-only matching. An attacker can exploit this by setting a display name that matches an allowlisted ID, thereby bypassing authorization checks and gaining unauthorized access.
Impact
Exploitation of this vulnerability could lead to unauthorized access by allowing non-allowlisted senders to be incorrectly authorized, based on a colliding display name.
Reproduction
To reproduce this vulnerability, an attacker can set a display name equal to an allowlisted ID string within the Feishu allowFrom allowlist. When a message is sent, the authorization checks will incorrectly validate the sender as authorized, bypassing the intended allowlist restrictions.
Remediation
Users can update to OpenClaw version 2026.2.22 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.