CVE-2026-62187

OpenClaw · Feishu

The OpenClaw Feishu npm package contains an authorization bypass vulnerability, allowing authenticated users to perform unauthorized operations.

Executive summary

An authorization bypass vulnerability in the OpenClaw Feishu npm package allows authenticated users to exceed their intended permissions, posing a significant security risk.

Vulnerability

This is an incorrect authorization vulnerability (CWE-863). The vulnerability requires the attacker to have low-level privileges (PR:L) to exploit, allowing them to perform unauthorized actions at a higher privilege level.

Business impact

The ability for a low-privileged user to bypass authorization controls can lead to unauthorized data modification, privilege escalation, or access to restricted administrative functions. With a CVSS score of 8.1, the potential for internal system compromise is high, necessitating immediate remediation.

Remediation

Immediate Action: Update the @openclaw/feishu npm package to version 2026.6.9 or later immediately.

Proactive Monitoring: Review application logs for unusual activity performed by low-privileged user accounts that typically should not have access to specific Feishu tools or functions.

Compensating Controls: Audit and restrict user permissions within the application environment to ensure that the principle of least privilege is enforced until the update is deployed.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

All users of the @openclaw/feishu package must update to version 2026.6.9 immediately. Failure to patch this vulnerability leaves the application susceptible to privilege escalation and unauthorized administrative actions by existing users.