PT-2026-25467 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Summary
Feishu allowlist authorization could be bypassed by display-name collision.
Details
channels.feishu.allowFrom is documented as an ID-based allowlist (open id list), but Feishu policy matching accepted mutable sender display names in the same namespace. An attacker could set a display name equal to an allowlisted ID string and pass authorization checks.The fix enforces ID-only matching for Feishu allowlist checks, normalizes Feishu ID prefixes during comparison, and ignores mutable display names for authorization.
Impact
Deployments using Feishu allowlist-based authorization could incorrectly authorize non-allowlisted senders when a colliding display name was used.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version at triage time:
2026.2.21-2 - Affected range:
<= 2026.2.21-2 - Planned patched version:
>= 2026.2.22
Fix Commit(s)
4ed87a667263ed2d422b9d5d5a5d326e099f92c7
Release Process Note
patched versions is pre-set to the planned next release (>= 2026.2.22) so the advisory is ready to publish once that npm release is available.OpenClaw thanks @jiseoung for reporting.
Correção
Incorrect Authorization
IDOR
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw