GHSA-77W2-CRQV-CMV3: Authorization Bypass via Legacy Card Callbacks in OpenClaw Feishu Integration

The openclaw package provides a unified integration framework for various messaging channels, including Feishu (Lark). The Feishu extension utilizes a Direct Message (DM) pairing mechanism designed to enforce strict authorization. This mechanism ensures that commands and interactive callbacks originate only from explicitly authorized users and channels.

A vulnerability in OpenClaw versions prior to 2026.3.26 allows users to circumvent this DM pairing mechanism. The flaw resides in the handling of legacy interactive card payloads. Attackers can leverage the send action to transmit maliciously crafted Feishu cards containing legacy interactive elements.

When these legacy elements are interacted with, the resulting callback triggers an older, insecure execution path in the OpenClaw backend. This legacy path processes the callback as a valid command or text input without enforcing the mandatory DM pairing authorization checks. This results in a CWE-285 Improper Authorization vulnerability.

The primary root cause of this authorization bypass is the continuous support for a legacy execution path within the Feishu channel integration. Modern interactions utilize structured interaction envelopes that enforce strict validation protocols, including DM pairing validation. The legacy path was maintained for backward compatibility but lacked equivalent authorization enforcement.

The second contributing factor is the absence of comprehensive outbound validation within the send action. The Feishu extension permitted the transmission of arbitrary JSON payloads for interactive cards. It failed to sanitize or inspect these outbound payloads for legacy components that would subsequently trigger the insecure legacy callback path upon interaction.

This design flaw creates a delayed exploitation vector. The vulnerability is not exploited during the direct execution of a command, but rather during the delayed processing of an interactive callback generated by a previously transmitted, unsanitized payload. The backend assumes that any callback originating from a Feishu card is trusted, failing to account for cards minted by unauthorized users leveraging the insecure send surface.

The vulnerability requires analyzing the patch to understand the mitigation strategy. The developers opted to address the outbound validation failure rather than removing the legacy execution path entirely. They introduced an egress filter within the send action handler to block the transmission of legacy payloads.

The patch, introduced in commit 81c45976db532324b5a0918a70decc19520dc354, implements two validation functions in extensions/feishu/src/channel.ts. The hasLegacyFeishuCardCommandValue function checks if a node lacks the modern version marker (oc) and contains a raw command or text string.

function hasLegacyFeishuCardCommandValue(actionValue: unknown): boolean {
  return (
    isRecord(actionValue) &&
    actionValue.oc !== FEISHU_CARD_INTERACTION_VERSION &&
    (Boolean(typeof actionValue.command === "string" && actionValue.command.trim()) ||
      Boolean(typeof actionValue.text === "string" && actionValue.text.trim()))
  );
}

The containsLegacyFeishuCardCommandValue function recursively traverses the outbound card JSON to identify any button tags containing a legacy structure. If such a structure is detected during the send action, the system throws an error, preventing the malicious card from reaching the Feishu channel.

Exploitation requires the attacker to have sufficient access to invoke the OpenClaw send action, or the ability to influence the content of cards generated by other processes. The attacker constructs a custom JSON payload representing a Feishu card.

The critical component of this payload is a button element designed to trigger the legacy callback path. The value property of the button is populated with a raw command object, such as {"command": "/exec-privileged-command --args"}, omitting the modern oc version identifier.

{
  "tag": "button",
  "text": { "tag": "plain_text", "content": "Critical Update" },
  "value": { "command": "/exec-privileged-command --args" }
}

Once the card is transmitted to a chat interface, it appears as a standard interactive element. When a user or the attacker clicks the button, the Feishu platform transmits a callback to the OpenClaw webhook. The backend routes the payload to the legacy handler, which executes the embedded command with elevated privileges, fully bypassing the DM pairing authorization requirement.

The successful exploitation of this vulnerability allows an attacker to execute arbitrary bot commands that would normally be restricted by the DM pairing policy. This represents a significant privilege escalation vector within the context of the messaging platform integration.

The exact impact depends heavily on the commands exposed by the specific OpenClaw implementation. If the bot has access to sensitive administrative functions or deployment operations, the attacker gains unauthorized access to those capabilities. The vulnerability effectively nullifies the primary security boundary established by the DM pairing configuration.

This issue is classified as CWE-285 (Improper Authorization) and CWE-602 (Client-Side Enforcement of Server-Side Security). While the severity is rated as Medium, environments heavily reliant on DM pairing for access control should treat this as a high-priority risk.

The primary remediation strategy is upgrading the openclaw package to version 2026.3.26 or later. This version contains the essential egress filtering logic required to prevent the transmission of legacy interactive cards.

Security engineers must verify that the dmPolicy configuration is explicitly set to pairing across all active channels. While the patch addresses the outbound payload generation, maintaining strict policy configurations provides a defense-in-depth posture against variant callback manipulation techniques.

Organizations utilizing custom OpenClaw extensions should review their outbound payload generation logic. Any custom code that constructs Feishu cards must ensure the inclusion of the structured interaction envelope markers (oc version field) to comply with modern validation standards and prevent accidental exposure to legacy execution paths.