CVE-2026-62188 in feishuinfo

Summary

by MITRE • 07/14/2026

OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could perform actions that should have required a stronger authorization or policy check. The issue is fixed in version 2026.6.9.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability resides within the OpenClaw @openclaw/feishu package ecosystem where an improper authorization control exists that allows privilege escalation through flawed permission validation mechanisms. The specific flaw manifests when Feishu integration tools fail to properly enforce account-level disablement settings, creating a security gap where less trusted entities can execute operations typically restricted to higher-privilege users. This represents a classic authorization bypass vulnerability that undermines the principle of least privilege and could enable unauthorized access to sensitive functionality within the integrated system.

The technical implementation flaw stems from inadequate validation of authorization boundaries within the Feishu permission framework, where the system fails to properly verify account-specific disablement configurations before allowing execution of privileged operations. When the vulnerable feature is enabled, the system accepts input paths or caller contexts that should be rejected based on established access control policies, effectively creating a backdoor for unauthorized action execution. This vulnerability directly relates to CWE-285 which addresses improper authorization in software systems and aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation tactics.

The operational impact of this vulnerability extends beyond simple unauthorized access as it enables potential attackers to perform actions that should require stronger authentication or administrative privileges. A malicious actor could exploit this weakness by crafting specific inputs or leveraging lower-trust caller contexts to execute operations that normally would be restricted, potentially leading to data manipulation, privilege escalation, or unauthorized system modifications. The vulnerability affects all versions up to and including 2026.6.6, making it a significant concern for organizations that have not yet upgraded to the patched version.

Organizations should immediately upgrade to version 2026.6.9 which contains the necessary fixes to address the authorization bypass issue. Security teams should conduct thorough assessments of their Feishu integration configurations to identify any potential exploitation vectors and implement monitoring for suspicious activities related to privileged operations. The fix implemented in the newer version likely includes enhanced validation mechanisms that properly enforce account-level disablement settings and ensure that all permission checks are performed against the correct authorization boundaries. Additionally, system administrators should review and audit existing access control policies to verify that no unauthorized actions have occurred during the vulnerability window and consider implementing additional monitoring controls to detect similar authorization anomalies in other integrated systems.

Responsible

VulnCheck

Reservation

07/13/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!