PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62187 openclaw CVE debrief

The OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 are vulnerable to an authorization bypass. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue is fixed in version 2026.6.9. This vulnerability could allow attackers to perform actions that should require stronger authorization, potentially leading to unauthorized operations. The impact depends on the operator's configuration and whether lower-trust input can reach the affected feature.

Vendor
openclaw
Product
feishu
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing configurations to ensure lower-trust input is properly validated and monitoring for suspicious activity. Operators should also review and update configurations to prevent lower-trust input from reaching the affected feature.

Technical summary

The OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue is fixed in version 2026.6.9. Impact depends on the operator's configuration and whether lower-trust input can reach the affected feature. The vulnerability could allow attackers to perform actions that should require stronger authorization, potentially leading to unauthorized operations.

Defensive priority

High

Recommended defensive actions

  • Upgrade to version 2026.6.9 or later
  • Review and update configurations to ensure lower-trust input is properly validated
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-13T22:16:49.753Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 could ignore per-account disablement, potentially allowing lower-trust callers or configured input paths to perform unauthorized operations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T22:16:49.753Z and has not been modified since then. The NVD entry is currently Received.