Primary

Context

OpenClaw Authorization Bypass Vulnerability in Reaction Events Misclassification

Vulnerability

An authorization bypass vulnerability has been identified in OpenClaw versions prior to 2026.3.12. The issue arises in Feishu reaction events that omit the 'chat_type', leading to a misclassification of group conversations as peer-to-peer (p2p). This misclassification allows attackers to bypass 'groupAllowFrom' and 'requireMention' protections in group chat reaction-derived events.

Impact

Exploitation of this vulnerability can lead to unauthorized bypassing of group chat reaction event protections, allowing for potential misuse of reaction events in group conversations.

Remediation

Users are advised to update OpenClaw to version 2026.3.12 or later, where this vulnerability has been fixed.

Added: Mar 29, 2026, 1:25 PM

Updated: Mar 29, 2026, 1:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.0

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.0

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Authorization Bypass Vulnerability in Reaction Events Misclassification

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating