GHSA-g353-mgv3-8pcj: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.
References
- github.com/advisories/GHSA-g353-mgv3-8pcj
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/7844bc89a1612800810617c823eb0c76ef945804
- github.com/openclaw/openclaw/pull/44087
- github.com/openclaw/openclaw/releases/tag/v2026.3.12
- github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj
Code Behaviors & Features
Detect and mitigate GHSA-g353-mgv3-8pcj with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →