OpenClaw, an npm package for handling Feishu messaging integrations, ships with a critical flaw in versions up to 2026.3.24. Attackers can send raw Feishu cards that generate legacy callbacks, bypassing required DM pairing. This lets unpaired recipients trigger sensitive callback handlers without authentication.
The vulnerability stems from lax validation in the raw card send surface. Feishu cards—interactive messages with buttons and forms—normally route callbacks through paired DM channels for security. Legacy payloads slipped through, minting callbacks on unpaired paths. Developers verified the issue on tag v2026.3.24; the fix landed in commit 81c45976db532324b5a0918a70decc19520dc354, now in version 2026.3.25.
Vulnerability Breakdown
Feishu, ByteDance’s enterprise collaboration platform akin to Slack or Microsoft Teams, relies on cards for rich interactions. These cards send data back to bot servers via callbacks. DM pairing enforces that only paired users—those who’ve opted into direct messaging—can invoke these. OpenClaw processes these interactions in Node.js environments.
In vulnerable versions, the raw card send API accepted legacy command payloads. Sending a specially crafted raw card would mint a callback that ignored pairing checks. An attacker needs only the bot’s app ID and a target callback endpoint. No deep access required—just craft the payload and fire it via Feishu’s send message API.
Proof-of-concept isn’t public, but the advisory confirms exploitation on v2026.3.24. The patch rejects legacy raw-card payloads outright, forcing all callbacks onto the paired path. Test it yourself: clone the repo, checkout v2026.3.24, and attempt a raw card send with a legacy command field. It bypasses; post-commit, it fails.
Why This Matters
Enterprise bots handle sensitive actions: approvals, data pulls, notifications. Bypassing DM pairing opens doors to abuse. Unpaired users could spam callbacks, trigger unauthorized actions, or exfiltrate data if handlers lack further checks. In finance or crypto setups—where OpenClaw might integrate Feishu for team alerts—this escalates to real risks like fake approvals or phishing vectors.
npm stats show openclaw at low adoption: under 100 weekly downloads as of last check. But if your org uses Feishu for internal tools, scan dependencies. Tools like npm audit miss this; it’s a semantic vuln, not a known CVE. Broader context: Feishu integrations often chain with webhooks, making callback spoofing a chainable attack. Similar issues hit Slack apps in 2022, where unverified interactions led to token theft.
Implications extend to compliance. GDPR or SOC2 audits flag unpatched messaging vulns. Attackers could impersonate users, log fake interactions, or denial-of-service handlers. Skeptically, low download count tempers panic—most users likely patched fast. But maintainers released .25 quickly, signaling awareness. No evidence of wild exploits, yet.
Fix and Next Steps
Upgrade to 2026.3.25 or later. Run
npm update openclaw or pin in package.json: "openclaw": "^2026.3.25". Verify the commit:
git log --oneline 81c45976db532324b5a0918a70decc19520dc354shows “Reject legacy raw-card command payloads”.
Audit your code: Ensure handlers validate sender IDs against paired users. Feishu’s API docs recommend tenant-aware checks—implement them. Rotate app secrets if exposed. Monitor logs for anomalous callbacks pre-upgrade.
Longer term, ditch raw card sends if possible; use Feishu’s structured APIs. OpenClaw’s maintainers deserve credit for swift patching, but the legacy support highlights risks in evolving APIs. Feishu iterates fast—2026 versioning suggests forward-dated tags. Watch npm for updates; subscribe to their GitHub.
Bottom line: Patch now. This vuln exposes a classic integration blind spot—trust no callback without pairing proof. In security, pairing isn’t optional; it’s the moat.
