CVE-2026-32924: OpenClaw

Patch now - CVE-2026-32924 is a critical authorization bypass in OpenClaw prior to 2026.3.12 that lets attackers in a Feishu group send malicious reaction events to execute unauthorized commands by omitting the chat_type field. Update immediately to block this exploit.

Overview

A critical authorization bypass vulnerability has been identified in OpenClaw, a software integration platform. Tracked as CVE-2026-32924, this flaw has a maximum severity rating of 9.8 on the CVSS scale. It affects all versions of OpenClaw prior to 2026.3.12.

Vulnerability Details

OpenClaw processes reaction events from Feishu, a collaboration platform. The vulnerability exists in how OpenClaw classifies these events. When a reaction event is sent with the chat_type field omitted, the software incorrectly treats it as a private, person-to-person (p2p) message. In reality, the event may originate from a group chat.

This misclassification is exploitable. Attackers can craft malicious reaction events that appear to be p2p, thereby bypassing two critical security controls designed for group chats: groupAllowFrom (which restricts which users can post in a group) and requireMention (which requires a bot to be mentioned before it acts).

Potential Impact

The primary risk is unauthorized access and command execution. An attacker within a Feishu group could use this flaw to:

• Send commands to integrated bots or services that should be restricted to specific users.
• Trigger automated workflows or data retrievals without proper authorization.
• Potentially access sensitive information or systems connected through OpenClaw, depending on its configuration.

This could lead to data exposure, unauthorized actions, and a compromise of integrated systems. For context on how such vulnerabilities can lead to real-world incidents, recent data breach reports are available at breach reports.

Remediation and Mitigation

The vendor has released a fix in OpenClaw version 2026.3.12.

Primary Action: All users must immediately upgrade to OpenClaw 2026.3.12 or later. This update correctly enforces group chat security policies even when the chat_type field is absent.

Temporary Mitigation (If Immediate Patching is Not Possible):

• Review and audit logs for any unexpected reaction event activity from Feishu integrations.
• Consider temporarily restricting high-privilege bot functionalities in group chat environments if feasible within your workflow.
• Isolate OpenClaw instances from accessing the most sensitive downstream systems until the patch is applied.

Stay informed about critical patches and emerging threats by following the latest security news. Proactive patching remains the most effective defense against such critical vulnerabilities.