{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32021", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-10T19:48:40.708Z", "datePublished": "2026-03-19T22:06:57.831Z", "dateUpdated": "2026-03-19T22:06:57.831Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-19T22:06:57.831Z"}, "title": "OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom", "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access."}], "tags": ["x_open-source"], "datePublic": "2026-02-23T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "affected": [{"vendor": "OpenClaw", "product": "OpenClaw", "defaultStatus": "unaffected", "packageURL": "pkg:npm/openclaw", "versions": [{"version": "0", "status": "affected", "versionType": "semver", "lessThan": "2026.2.22"}, {"version": "2026.2.22", "status": "unaffected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.22"}]}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69", "name": "GitHub Security Advisory (GHSA-j4xf-96qf-rx69)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7", "name": "Patch Commit", "tags": ["patch"]}, {"name": "VulnCheck Advisory: OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom"}], "credits": [{"lang": "en", "value": "Jisung (@jiseoung)", "type": "reporter"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access."}], "id": "CVE-2026-32021", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:36.103", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["node.js"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.22)"}}, {"platform": ["node.js"], "status": "unaffected", "versions": {"scheme": "semver", "value": "2026.2.22"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenClaw", "source": "cna", "vendor": "OpenClaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-03-19T23:39:23.056868+00:00", "value": {"mitigation_remediation": ["Upgrade OpenClaw to version 2026.2.22 or later.", "Verify that the Feishu allowFrom configuration strictly matches ID values and does not accept display names.", "Monitor application logs for anomalies related to unauthorized access attempts.", "Apply additional network segmentation or authentication controls as a temporary safeguard until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Affectees include OpenClaw software with any version earlier than 2026.2.22. No further version granularity is specified, so all installations of OpenClaw pre\u20112026.2.22 are impacted.", "description_and_impact": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access. The primary impact is the attacker achieving unauthorized access to the system, potentially compromising confidential data and system integrity.", "risk_and_exploitability": "The CVSS score is 6.3, indicating a moderate risk level. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit this remotely by sending a crafted request that includes a display name mimicking an allowlisted ID, thereby elevating privileges and bypassing authentication."}}}}, "created": "2026-03-20T08:55:03.818506+00:00", "updated": "2026-03-20T11:05:24.291924+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}