{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/feishu/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw"],"_cs_severities":["critical"],"_cs_tags":["openclaw","feishu","webhook","vulnerability"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, when configured with Feishu webhook integration, is susceptible to a critical vulnerability in versions prior to 2026.4.15. This vulnerability stems from the application's failure to properly validate incoming webhook requests and card-action callbacks. Specifically, the application incorrectly accepts configurations without an \u003ccode\u003eencryptKey\u003c/code\u003e and processes card-action callbacks with blank tokens. This fail-open behavior allows unauthenticated traffic to bypass intended security measures, potentially leading to unauthorized command execution within the OpenClaw environment. The vulnerability impacts deployments utilizing Feishu webhook mode, exposing a network-triggered entry point into OpenClaw command handling without the expected Feishu signature or replay protection. This vulnerability was reported by @dhyabi2. Version 2026.4.15 resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an OpenClaw deployment using Feishu webhooks without a configured \u003ccode\u003eencryptKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Feishu webhook request, bypassing signature validation due to the missing \u003ccode\u003eencryptKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted webhook request to the OpenClaw endpoint.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the unauthenticated request, due to the missing \u003ccode\u003eencryptKey\u003c/code\u003e check, forwarding it to command dispatch.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious card-action callback with a blank callback token.\u003c/li\u003e\n\u003cli\u003eOpenClaw fails to reject the card-action callback with the blank token.\u003c/li\u003e\n\u003cli\u003eThe unvalidated card-action is processed, triggering unintended commands within OpenClaw.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute arbitrary commands within the context of the OpenClaw application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access and command execution within the OpenClaw application. A vulnerable OpenClaw instance could be leveraged to perform actions such as data exfiltration, system compromise, or denial-of-service attacks. The lack of authentication and validation mechanisms exposes the OpenClaw deployment to significant risk, potentially affecting all users and systems managed by the platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.15 or later to remediate the vulnerability. This version enforces validation of Feishu webhooks and card-action callbacks, preventing unauthenticated access (reference: Affected versions).\u003c/li\u003e\n\u003cli\u003eEnsure that the \u003ccode\u003eencryptKey\u003c/code\u003e is properly configured for Feishu webhook integrations. The application will now refuse to start without it (reference: \u003ccode\u003eextensions/feishu/src/monitor.transport.ts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to exploit this vulnerability by monitoring for webhook requests without proper authentication or card-action callbacks with missing tokens.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-feishu-fail-open/","summary":"OpenClaw versions before 2026.4.15 are vulnerable to unauthenticated webhook or card-action traffic due to missing encryption key configuration and improper handling of card-action callbacks, potentially allowing network-triggered access to OpenClaw command handling without Feishu signature or replay protection.","title":"OpenClaw Feishu Webhook Vulnerability: Unauthenticated Command Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-feishu-fail-open/"}],"language":"en","title":"CraftedSignal Threat Feed - Feishu","version":"https://jsonfeed.org/version/1.1"}