GHSA-m69h-jm2f-2pv8: OpenClaw: Feishu reaction events could bypass group authorization and mention gating
A Feishu reaction-originated synthetic event could misclassify a group conversation as p2p when the inbound reaction payload omitted chat_type. Authorization and mention-gating logic keyed off that incorrect chat type and evaluated the event as a direct message instead of a group message.
References
- github.com/advisories/GHSA-m69h-jm2f-2pv8
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/3e730c0332eb0a3dc9e1e8c29a5f95e933317b41
- github.com/openclaw/openclaw/pull/44088
- github.com/openclaw/openclaw/releases/tag/v2026.3.12
- github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8
Code Behaviors & Features
Detect and mitigate GHSA-m69h-jm2f-2pv8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →