Primary

Context

OpenClaw Message Misclassification Vulnerability in Feishu Card Actions

Vulnerability

A vulnerability exists in OpenClaw versions prior to 2026.4.20, where Feishu card-action callbacks incorrectly classify direct messages as group conversations. This misclassification allows attackers to circumvent 'dmPolicy' restrictions by initiating card-action processes in direct message threads that should have been prohibited.

Impact

Exploitation of this vulnerability can lead to improper handling of card actions in direct messages, allowing flows that should be blocked by 'dmPolicy' to be executed.

Reproduction

The vulnerability can be reproduced by sending a card-action event in a direct message conversation on Feishu. The event will be processed as if it were in a group chat, bypassing any direct message restrictions that are normally enforced.

Remediation

Users can update to OpenClaw version 2026.4.20 or later, where this vulnerability has been fixed.

Added: May 11, 2026, 7:12 PM

Updated: May 11, 2026, 7:12 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

8.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

8.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Message Misclassification Vulnerability in Feishu Card Actions

Vulnerability

Impact

Reproduction

Remediation

Affected Products

OpenClaw

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating