CVE-2026-62187
OpenClaw · Feishu
The OpenClaw Feishu npm package contains an authorization bypass vulnerability, allowing authenticated users to perform unauthorized operations.
Executive summary
An authorization bypass vulnerability in the OpenClaw Feishu npm package allows authenticated users to exceed their intended permissions, posing a significant security risk.
Vulnerability
This is an incorrect authorization vulnerability (CWE-863). The vulnerability requires the attacker to have low-level privileges (PR:L) to exploit, allowing them to perform unauthorized actions at a higher privilege level.
Business impact
The ability for a low-privileged user to bypass authorization controls can lead to unauthorized data modification, privilege escalation, or access to restricted administrative functions. With a CVSS score of 8.1, the potential for internal system compromise is high, necessitating immediate remediation.
Remediation
Immediate Action: Update the @openclaw/feishu npm package to version 2026.6.9 or later immediately.
Proactive Monitoring: Review application logs for unusual activity performed by low-privileged user accounts that typically should not have access to specific Feishu tools or functions.
Compensating Controls: Audit and restrict user permissions within the application environment to ensure that the principle of least privilege is enforced until the update is deployed.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
All users of the @openclaw/feishu package must update to version 2026.6.9 immediately. Failure to patch this vulnerability leaves the application susceptible to privilege escalation and unauthorized administrative actions by existing users.