OpenClaw, an npm package for Feishu integrations, ships a bypass in versions up to 2026.3.28. Thread histories and quoted messages fetch root or context data that ignores sender allowlists. This exposes apps to content from untrusted senders. Severity rates medium. Fix lands in version 2026.3.31, via commit f45e5a6569aab1d58cc6de25b19f1dc4c8779b85 on March 31, 2026.
What OpenClaw Does
OpenClaw provides a client for Feishu, ByteDance’s enterprise chat platform akin to Slack or Microsoft Teams. Feishu serves over 10 million daily users in China-heavy enterprises, per ByteDance stats. Developers pull it via npm for bots, integrations, or custom clients. Latest version sits at 2026.3.31. The package handles messaging APIs, including threads where replies chain under root messages and quotes embed prior content.
Sender allowlists filter incoming messages by trusted origins. SECURITY.md in OpenClaw lacks exemptions for remote fetches, confirming the flaw. AntAISecurityLab reported it; maintainers triaged as real in shipped code.
How the Bypass Works
Apps using vulnerable OpenClaw call Feishu APIs for thread details. A root message from an allowed sender spawns replies or quotes from outsiders. Fetching full context pulls that unvetted content without allowlist checks. No exploit PoC ships publicly yet, but the path exists.
Consider a corporate bot parsing Feishu channels. It allowlists internal domains. An attacker posts a quote from a malicious external thread in a reply. OpenClaw loads the quote’s context unchecked. Result: potential script injection, phishing links, or data exfil if your app renders raw.
Feishu itself enforces no such bypass—OpenClaw’s client-side handling creates it. Similar issues hit Slack bots in 2022, where thread expansions leaked tokens. Here, npm’s 2 million weekly OpenClaw downloads amplify reach, per npm trends.
Impact and Why It Matters
Medium severity fits: no RCE, but real evasion in production Feishu v2026.3.28 clients. Affects any app fetching threads with allowlists. Supply chain angle looms large—npm packages like this underpin 80% of Node.js projects, per Socket analysis. One weak link cascades.
Why care? Enterprises lock Feishu for compliance; bypasses undermine that. Attackers chain this with social engineering: seed a thread, quote junk, watch bots amplify. Costs? Undisclosed breaches via chat clients tally millions yearly, like LastPass’s 2022 Slack leak.
Skeptical take: Patch dropped same-day, signaling solid triage. No zero-days exploited yet. But triage stays open—maintainers eye edge cases. Feishu’s closed ecosystem limits wild impact versus open Slack, yet global npm pulls it worldwide.
Fix and Next Steps
Upgrade now: npm install openclaw@latest pulls 2026.3.31 or higher. Vulnerable range: <=2026.3.28. Verify via npm ls openclaw. Audit deps with
npm auditor Snyk.
Post-patch, test thread fetches. Scan logs for unallowed sender hits. Broader: Rotate API keys, enforce least-priv bots, parse messages server-side sans client libs. Watch OpenClaw GitHub—draft advisory awaits final sign-off.
This flags npm’s pace: flaws ship fast, fix faster if reported. Developers, pin versions, automate audits. Feishu users, probe integrations. Stay ahead—chat bypasses evolve.
