Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Feishu Webhook in OpenClaw Can Accept Fake Events
GHSA-g353-mgv3-8pcj
Summary
Feishu webhooks in OpenClaw 2026.3.11 and earlier can accept fake events if only a verification token is set up, allowing a hacker to pretend to be a legitimate sender and potentially trigger actions on your system. To fix this, update to OpenClaw 2026.3.12 or later and make sure you have an encryption key set up for your Feishu webhook.
What to do
- Update openclaw to version 2026.3.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.12 |
Original title
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
Original description
### Summary
Feishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.
### Impact
An unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.
Feishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.
### Impact
An unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.
ghsa CVSS3.1
8.6
Vulnerability type
CWE-347
Improper Verification of Cryptographic Signature
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj
- https://github.com/openclaw/openclaw/pull/44087
- https://github.com/openclaw/openclaw/commit/7844bc89a1612800810617c823eb0c76ef94...
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12
- https://github.com/advisories/GHSA-g353-mgv3-8pcj
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026