CVE-2026-32924
Published: 29 March 2026
Summary
CVE-2026-32924 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access, directly preventing the authorization bypass from misclassified Feishu reaction events lacking chat_type.
AC-24 requires correct authorization decisions for system resources based on attributes like chat_type, addressing the misclassification that circumvents group chat protections.
AC-6 enforces least privilege, mitigating unauthorized reactions in group chats that bypass groupAllowFrom and requireMention restrictions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in network-accessible OpenClaw (AV:N, PR:N) directly enables remote exploitation of a public-facing application to gain unauthorized access and perform restricted actions.
NVD Description
OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group chat reaction-derived events.
Deeper analysisAI
OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability, tracked as CVE-2026-32924 and associated with CWE-863 (Incorrect Authorization). The issue arises in the handling of Feishu reaction events where the chat_type field is omitted, causing these events to be misclassified as peer-to-peer (p2p) conversations rather than group chats. This misclassification enables attackers to circumvent groupAllowFrom and requireMention protections that apply to reaction-derived events in group chat contexts. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impact on confidentiality, integrity, and availability.
Attackers require no privileges (PR:N) and can exploit this remotely over the network with low complexity and no user interaction. By crafting and sending Feishu reaction events lacking the chat_type parameter, adversaries trigger the misclassification, allowing unauthorized actions in group chats that would otherwise be restricted by groupAllowFrom (limiting reactions to specific sources) and requireMention (mandating explicit mentions). Successful exploitation grants high-level access to sensitive operations, potentially enabling data exfiltration, modification, or disruption within affected OpenClaw deployments integrated with Feishu.
Mitigation details are outlined in the official advisories, including the OpenClaw GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8 and VulnCheck's analysis at https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-misclassified-reaction-events-in-feishu. Practitioners should upgrade to OpenClaw 2026.3.12 or later, where the misclassification logic has been corrected to properly enforce group chat protections.
Details
- CWE(s)