CVE-2026-62187 in feishuinfo

Summary

by MITRE • 07/14/2026

OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue is fixed in version 2026.6.9. Impact depends on the operator's configuration and whether lower-trust input can reach the affected feature.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The OpenClaw Feishu tools npm package version 2026.6.6 and earlier contained a critical authorization bypass vulnerability that allowed unauthorized operations through improper access control enforcement. This flaw specifically affected the per-account disablement functionality, where the system failed to properly validate authorization levels before executing sensitive operations. The vulnerability stems from insufficient input validation and privilege checking mechanisms within the package's authentication flow.

The technical implementation of this vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and represents a classic case of insufficient access control checks. The flaw occurs when lower-trust callers or configured input paths can bypass expected security boundaries that should have required stronger authorization levels. This weakness creates a pathway for attackers who can manipulate input parameters or leverage compromised lower-privilege accounts to perform actions that should be restricted to higher-privileged users or specific operational contexts.

From an operational perspective, the impact of this vulnerability depends heavily on the deployment configuration and trust model implemented by operators using the package. If the system allows lower-trust input sources to reach the affected functionality, or if proper input sanitization is not enforced, attackers can exploit this weakness to execute unauthorized operations across Feishu integration features. The vulnerability essentially undermines the intended security boundaries that should separate different privilege levels within the application's access control model.

The fix implemented in version 2026.6.9 addresses this issue through enhanced authorization checks and proper validation of account-level disablement settings. Security practitioners should immediately upgrade to this patched version and conduct thorough reviews of their operational configurations to ensure no lower-trust input paths exist that could reach the vulnerable functionality. Organizations using this package should also implement monitoring for unauthorized access patterns and consider additional layers of security controls around Feishu integration points, particularly in environments where multiple trust levels are present.

This vulnerability demonstrates the importance of proper authorization enforcement in software packages that interact with privileged systems, and aligns with ATT&CK technique T1078 which covers valid accounts as a means of gaining access. The incident highlights the need for comprehensive security testing including privilege escalation scenarios and proper input validation across all integration points in third-party libraries used within enterprise environments.

Responsible

VulnCheck

Reservation

07/13/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!