Skip to main content

Feishu

3 CVEs product

Monthly

CVE-2026-62188 HIGH This Week

Privilege escalation via broken authorization in the OpenClaw @openclaw/feishu integration (versions 2026.6.6 and earlier) allows a lower-trust, already-authenticated caller to invoke Feishu permission tools that should have been blocked by per-account disablement settings. Because the enforcement gap lets a low-privilege actor perform actions requiring stronger authorization, the flaw carries high confidentiality and integrity impact (CVSS 4.0 base 8.6). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Feishu
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-62187 HIGH This Week

Authorization bypass in the @openclaw/feishu npm package (versions <= 2026.6.6) allows a lower-trust caller - or attacker-influenced input reaching a configured input path - to perform Feishu (Lark) actions that should have required stronger authorization, because per-account disablement can be ignored. Authenticated remote attackers can trigger unauthorized operations affecting confidentiality and integrity; no public exploit has been identified at time of analysis, and the flaw is fixed in version 2026.6.9. Real-world impact is gated by the operator's configuration and whether untrusted input can reach the affected feature.

Authentication Bypass Node.js Feishu
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2021-3305 HIGH POC This Week

Beijing Feishu Technology Co., Ltd Feishu v3.40.3 was discovered to contain an untrusted search path vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Feishu
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.3%
EPSS 0% CVSS 8.6
HIGH This Week

Privilege escalation via broken authorization in the OpenClaw @openclaw/feishu integration (versions 2026.6.6 and earlier) allows a lower-trust, already-authenticated caller to invoke Feishu permission tools that should have been blocked by per-account disablement settings. Because the enforcement gap lets a low-privilege actor perform actions requiring stronger authorization, the flaw carries high confidentiality and integrity impact (CVSS 4.0 base 8.6). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Feishu
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Authorization bypass in the @openclaw/feishu npm package (versions <= 2026.6.6) allows a lower-trust caller - or attacker-influenced input reaching a configured input path - to perform Feishu (Lark) actions that should have required stronger authorization, because per-account disablement can be ignored. Authenticated remote attackers can trigger unauthorized operations affecting confidentiality and integrity; no public exploit has been identified at time of analysis, and the flaw is fixed in version 2026.6.9. Real-world impact is gated by the operator's configuration and whether untrusted input can reach the affected feature.

Authentication Bypass Node.js Feishu
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

Beijing Feishu Technology Co., Ltd Feishu v3.40.3 was discovered to contain an untrusted search path vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Feishu
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy