CRITICALCVE-2026-32924CVSS 9.8

CVE-2026-32924: Authorization Bypass in OpenClaw

Platform

nodejs

Component

openclaw

Fixed in

2026.3.12

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-32924 describes an authorization bypass vulnerability discovered in OpenClaw. This flaw allows attackers to circumvent group chat protections within the application by manipulating Feishu reaction events. The vulnerability affects versions of OpenClaw prior to 2026.3.12, and a patch has been released to address the issue.

Impact and Attack Scenarios

The core of this vulnerability lies in how OpenClaw handles Feishu reaction events. Specifically, when a reaction event lacks the chat_type parameter, OpenClaw incorrectly classifies it as a peer-to-peer (p2p) conversation instead of a group chat. This misclassification bypasses crucial security measures, namely groupAllowFrom and requireMention protections. An attacker can exploit this to trigger actions or access data within group chats without proper authorization, potentially leading to unauthorized data modification, information disclosure, or even complete control over group chat functionality. The impact is particularly severe given the potential for widespread access and manipulation within group environments.

Exploitation Context

CVE-2026-32924 was publicly disclosed on 2026-03-29. Currently, there is no indication of active exploitation or a public proof-of-concept. The vulnerability's severity is rated CRITICAL (CVSS 9.8), indicating a high potential for exploitation if left unaddressed. It has not been added to the CISA KEV catalog at the time of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.06% (18% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

CVSS Vector

Affected Software

Componentopenclaw

VendorOpenClaw

Affected rangeFixed in

0 – 2026.3.122026.3.12

Weakness Classification (CWE)

CWE-863

Timeline

Reserved2026-03-16
Published2026-03-29
Modified2026-03-30
EPSS updated2026-04-06

Mitigation and Workarounds

The primary mitigation for CVE-2026-32924 is to upgrade OpenClaw to version 2026.3.12 or later. This patched version correctly handles Feishu reaction events and enforces the intended group chat protections. If immediate upgrading is not feasible, consider implementing temporary workarounds by carefully validating the chattype parameter in incoming Feishu reaction events within your OpenClaw integration. While not a complete fix, this can reduce the attack surface. Monitor OpenClaw logs for unusual activity related to Feishu reaction events, specifically looking for events lacking the chattype parameter. After upgrading, confirm the fix by sending a test Feishu reaction event with an omitted chat_type and verifying that it is correctly classified as a group chat and subject to the appropriate protections.

How to fix

Update OpenClaw to version 2026.3.12 or later. This version corrects the authorization bypass vulnerability by correctly classifying Feishu reaction events.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-32924 — authorization bypass in OpenClaw?

CVE-2026-32924 is a critical vulnerability in OpenClaw where Feishu reaction events without a chat_type are misclassified, allowing attackers to bypass group chat protections.

Am I affected by CVE-2026-32924 in OpenClaw?

You are affected if you are running OpenClaw versions 0–2026.3.12 and integrate with Feishu. Upgrade to 2026.3.12 to mitigate the risk.

How do I fix CVE-2026-32924 in OpenClaw?

Upgrade OpenClaw to version 2026.3.12 or later. As a temporary workaround, validate the chat_type parameter in incoming Feishu reaction events.

Is CVE-2026-32924 being actively exploited?

There is currently no evidence of active exploitation or a public proof-of-concept for CVE-2026-32924.

Where can I find the official OpenClaw advisory for CVE-2026-32924?

Refer to the OpenClaw project's official security advisories and release notes for details on CVE-2026-32924 and the associated patch.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.