Primary

Context

OpenClaw Authentication Bypass Vulnerability in Feishu Webhook Mode

Vulnerability

An authentication bypass vulnerability has been identified in OpenClaw versions through 2026.3.11. The issue arises in Feishu webhook mode when only the verificationToken is set, without an encryptKey. This configuration flaw allows unauthenticated network attackers to send forged Feishu events to the webhook endpoint, potentially triggering downstream tool executions, depending on the local agent policy.

Impact

Exploitation of this vulnerability allows for the injection of forged Feishu events into the system, impersonating legitimate senders and possibly executing unauthorized actions through connected tools.

Remediation

Users can update to OpenClaw version 2026.3.12 or later, and should configure the encryptKey for webhook deployments to ensure proper event verification.

Added: Mar 29, 2026, 1:31 PM

Updated: Mar 29, 2026, 1:31 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

4.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Authentication Bypass Vulnerability in Feishu Webhook Mode

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating