GHSA-xh72-v6v9-mwhc: OpenClaw: Feishu webhook and card-action validation now fail closed

April 17, 2026

Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments.

References

github.com/advisories/GHSA-xh72-v6v9-mwhc
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae
github.com/openclaw/openclaw/pull/66707
github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc

Code Behaviors & Features

Detect and mitigate GHSA-xh72-v6v9-mwhc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →