Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Feishu Reaction Events Can Bypass Group Chat Security
GHSA-m69h-jm2f-2pv8
Summary
A security issue was found in Feishu's OpenClaw software. In some cases, a reaction to a group message could be treated as a private message instead of a group message, potentially allowing unauthorized users to post in the group. To fix this, update OpenClaw to version 2026.3.12 or later.
What to do
- Update openclaw to version 2026.3.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.11 | 2026.3.12 |
Original title
OpenClaw: Feishu reaction events could bypass group authorization and mention gating
Original description
### Summary
A Feishu reaction-originated synthetic event could misclassify a group conversation as `p2p` when the inbound reaction payload omitted `chat_type`. Authorization and mention-gating logic keyed off that incorrect chat type and evaluated the event as a direct message instead of a group message.
### Impact
This could bypass `groupAllowFrom` and `requireMention` protections for reaction-derived events in Feishu group chats.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Reaction events now preserve the correct group context before authorization and mention-gate evaluation. Users should update to `2026.3.12` or later.
A Feishu reaction-originated synthetic event could misclassify a group conversation as `p2p` when the inbound reaction payload omitted `chat_type`. Authorization and mention-gating logic keyed off that incorrect chat type and evaluated the event as a direct message instead of a group message.
### Impact
This could bypass `groupAllowFrom` and `requireMention` protections for reaction-derived events in Feishu group chats.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Reaction events now preserve the correct group context before authorization and mention-gate evaluation. Users should update to `2026.3.12` or later.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-285
Improper Authorization
CWE-863
Incorrect Authorization
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8
- https://github.com/openclaw/openclaw/pull/44088
- https://github.com/openclaw/openclaw/commit/3e730c0332eb0a3dc9e1e8c29a5f95e93331...
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12
- https://github.com/advisories/GHSA-m69h-jm2f-2pv8
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026