CVE-2026-32021

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22

Description OpenClaw versions before 2026.2.22 contain an authorization bypass in the Feishu allowFrom allowlist implementation. The system accepts mutable sender display names instead of enforcing matching based on ID only. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access. The channels.feishu.allowFrom feature is documented as an ID-based allowlist, but it accepted mutable sender display names. This allowed an attacker to use a display name that matched an allowed ID, bypassing authorization. The fix enforces ID-only matching for Feishu allowlist checks, normalizes Feishu ID prefixes during comparison, and ignores mutable display names for authorization. Deployments using Feishu allowlist-based authorization could incorrectly authorize non-allowlisted senders when a colliding display name was used.

Recommendations Update OpenClaw to version 2026.2.22 or later.