CVE-2026-32021

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

25 Mar 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.8~~	v2 : unknown v3 : 6.5

23 Mar 2026, 17:51

Type	Values Removed	Values Added
Summary		(es) Versiones de OpenClaw anteriores a 2026.2.22 contienen una vulnerabilidad de omisión de autorización en la implementación de la lista de permitidos Feishu allowFrom que acepta nombres de visualización de remitente mutables en lugar de forzar la coincidencia solo por ID. Un atacante puede establecer un nombre de visualización igual a una cadena de ID en la lista de permitidos para omitir las comprobaciones de autorización y obtener acceso no autorizado.
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw
References	~~() https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7 -~~	() https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom -~~	() https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom - Third Party Advisory

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-25 15:16

NVD link : CVE-2026-32021

Mitre link : CVE-2026-32021

CVE.ORG link : CVE-2026-32021

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-863

Incorrect Authorization

6.5 /10