GHSA-72q8-jcmc-97wx: OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy

April 25, 2026

Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped dmPolicy enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy.

The issue is limited to Feishu card-action handling. Severity is medium.

References

github.com/advisories/GHSA-72q8-jcmc-97wx
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166
github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx

Code Behaviors & Features

Detect and mitigate GHSA-72q8-jcmc-97wx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →