@openclaw/feishu@2026.5.2-beta.1

OpenClaw Feishu/Lark channel plugin for chats and workplace tools (community maintained by @m1heng).

  • latest version

    2026.7.1

  • latest non vulnerable version

  • first published

    5 months ago

  • latest version published

    2 days ago

  • Direct Vulnerabilities

    Known vulnerabilities in the @openclaw/feishu package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization in the feishu process. An attacker can perform unauthorized operations by exploiting insufficient authorization checks on certain actions, allowing lower-trust callers or configured input paths to bypass intended restrictions.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.6.9 or higher.

    <2026.6.9
    • H
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization due to the Feishu permission tools process. An attacker can gain unauthorized access to perform privileged actions by exploiting the lack of proper authorization checks on per-account disablement settings when the affected feature is enabled and reachable.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.6.9 or higher.

    <2026.6.9
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization through the Feishu card-action callback process. An attacker can bypass intended policy restrictions by crafting a card-action event that misclassifies direct messages as group conversations, thereby avoiding enforcement of dmPolicy.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.5.2 or higher.

    <2026.5.2
    • C
    Insecure Default Initialization of Resource

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via improper validation of the encryptKey configuration and blank callback tokens. An attacker can gain unauthorized access to command dispatch functionality by sending unauthenticated webhook or malformed card-action requests.

    How to fix Insecure Default Initialization of Resource?

    Upgrade @openclaw/feishu to version 2026.5.2 or higher.

    >=2026.3.12 <2026.5.2
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization in the process that fetches quoted, root, or thread context messages, which bypasses the sender allowlist. An attacker can access message content from unauthorized senders by exploiting the lack of proper sender validation in this process.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.5.2 or higher.

    <2026.5.2
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization via the upload_image process in the Feishu extension. An attacker can access arbitrary files outside the intended file-system sandbox by submitting crafted upload paths.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.5.2 or higher.

    >=2026.2.6 <2026.5.2
    • H
    Allocation of Resources Without Limits or Throttling

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the installRequestBodyLimitGuard function in the Feishu webhook handler, which applies permissive body size and timeout limits before authentication. An attacker can exhaust server connection resources and block legitimate webhook deliveries by sending multiple slow HTTP POST requests to the affected endpoint.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade @openclaw/feishu to version 2026.5.2 or higher.

    <2026.5.2
    • M
    Incorrect Authorization

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Incorrect Authorization via the callback handling process. An attacker can gain unauthorized access to callback functionality by sending specially crafted legacy raw card payloads that bypass recipient pairing checks.

    How to fix Incorrect Authorization?

    Upgrade @openclaw/feishu to version 2026.5.2 or higher.

    <2026.5.2
    • H
    Allocation of Resources Without Limits or Throttling

    @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Feishu webhook handling process. An attacker can cause excessive resource consumption by sending unauthenticated requests that are fully parsed before signature validation.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade @openclaw/feishu to version 2026.5.2 or higher.

    <2026.5.2