<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Feishu - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/feishu/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/feishu/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Feishu Webhook Vulnerability: Unauthenticated Command Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-openclaw-feishu-fail-open/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openclaw-feishu-fail-open/</guid><description>OpenClaw versions before 2026.4.15 are vulnerable to unauthenticated webhook or card-action traffic due to missing encryption key configuration and improper handling of card-action callbacks, potentially allowing network-triggered access to OpenClaw command handling without Feishu signature or replay protection.</description><content:encoded><![CDATA[<p>OpenClaw, when configured with Feishu webhook integration, is susceptible to a critical vulnerability in versions prior to 2026.4.15. This vulnerability stems from the application's failure to properly validate incoming webhook requests and card-action callbacks. Specifically, the application incorrectly accepts configurations without an <code>encryptKey</code> and processes card-action callbacks with blank tokens. This fail-open behavior allows unauthenticated traffic to bypass intended security measures, potentially leading to unauthorized command execution within the OpenClaw environment. The vulnerability impacts deployments utilizing Feishu webhook mode, exposing a network-triggered entry point into OpenClaw command handling without the expected Feishu signature or replay protection. This vulnerability was reported by @dhyabi2. Version 2026.4.15 resolves this issue.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an OpenClaw deployment using Feishu webhooks without a configured <code>encryptKey</code>.</li>
<li>The attacker crafts a malicious Feishu webhook request, bypassing signature validation due to the missing <code>encryptKey</code>.</li>
<li>The attacker sends the crafted webhook request to the OpenClaw endpoint.</li>
<li>OpenClaw processes the unauthenticated request, due to the missing <code>encryptKey</code> check, forwarding it to command dispatch.</li>
<li>Alternatively, the attacker crafts a malicious card-action callback with a blank callback token.</li>
<li>OpenClaw fails to reject the card-action callback with the blank token.</li>
<li>The unvalidated card-action is processed, triggering unintended commands within OpenClaw.</li>
<li>Successful exploitation allows the attacker to execute arbitrary commands within the context of the OpenClaw application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to unauthorized access and command execution within the OpenClaw application. A vulnerable OpenClaw instance could be leveraged to perform actions such as data exfiltration, system compromise, or denial-of-service attacks. The lack of authentication and validation mechanisms exposes the OpenClaw deployment to significant risk, potentially affecting all users and systems managed by the platform.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OpenClaw to version 2026.4.15 or later to remediate the vulnerability. This version enforces validation of Feishu webhooks and card-action callbacks, preventing unauthenticated access (reference: Affected versions).</li>
<li>Ensure that the <code>encryptKey</code> is properly configured for Feishu webhook integrations. The application will now refuse to start without it (reference: <code>extensions/feishu/src/monitor.transport.ts</code>).</li>
<li>Deploy the Sigma rule provided below to detect attempts to exploit this vulnerability by monitoring for webhook requests without proper authentication or card-action callbacks with missing tokens.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>openclaw</category><category>feishu</category><category>webhook</category><category>vulnerability</category></item></channel></rss>