Skip to main content

OpenClaw Feishu CVE-2026-62188

HIGH
Incorrect Authorization (CWE-863)
2026-07-13 VulnCheck
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable tool needing an existing low-trust authenticated caller (PR:L) and no interaction; broken authorization exposes and alters protected data (C:H/I:H) without availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 22:03 vuln.today
CVE Published
Jul 13, 2026 - 21:30 cve.org
HIGH 8.6

DescriptionCVE.org

OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could perform actions that should have required a stronger authorization or policy check. The issue is fixed in version 2026.6.9.

AnalysisAI

Privilege escalation via broken authorization in the OpenClaw @openclaw/feishu integration (versions 2026.6.6 and earlier) allows a lower-trust, already-authenticated caller to invoke Feishu permission tools that should have been blocked by per-account disablement settings. Because the enforcement gap lets a low-privilege actor perform actions requiring stronger authorization, the flaw carries high confidentiality and integrity impact (CVSS 4.0 base 8.6). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-trust caller
Delivery
Reach enabled Feishu permission tool
Exploit
Send action blocked by account policy
Execution
Incorrect authorization check passes
Persist
Perform higher-privilege action
Impact
Read or alter protected data

Vulnerability AssessmentAI

Exploitation Exploitation requires the Feishu permission tools feature to be enabled and network-reachable, and per the CVSS vector PR:L, the attacker must already hold low-level authenticated privileges - this is not anonymous access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) describes a network-reachable, low-complexity attack requiring only low existing privileges and no user interaction, yielding high confidentiality and integrity impact with no availability effect - a credible real priority for organizations running this integration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user or service holding only low-privilege credentials in an environment where the @openclaw/feishu permission tools are enabled and network-reachable sends a request that would normally be denied by the target account's disablement policy. Because the authorization decision is evaluated incorrectly, the action is permitted, letting the attacker read or modify data protected by a stronger authorization tier. …
Remediation Vendor-released patch: upgrade @openclaw/feishu to 2026.6.9 or later, which corrects the per-account authorization enforcement; consult the GitHub advisory GHSA-w8wf-3qvj-6xqf (https://github.com/openclaw/openclaw/security/advisories/GHSA-w8wf-3qvj-6xqf) and the VulnCheck advisory (https://www.vulncheck.com/advisories/openclaw-feishu-authorization-bypass) for exact release notes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all users with access to the OpenClaw Feishu integration, document their privilege levels, and audit access logs for the past 30 days. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-62188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy