PatchSiren cyber security CVE debrief
CVE-2026-62187 openclaw CVE debrief
The OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 are vulnerable to an authorization bypass. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue is fixed in version 2026.6.9. This vulnerability could allow attackers to perform actions that should require stronger authorization, potentially leading to unauthorized operations. The impact depends on the operator's configuration and whether lower-trust input can reach the affected feature.
- Vendor
- openclaw
- Product
- feishu
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing configurations to ensure lower-trust input is properly validated and monitoring for suspicious activity. Operators should also review and update configurations to prevent lower-trust input from reaching the affected feature.
Technical summary
The OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue is fixed in version 2026.6.9. Impact depends on the operator's configuration and whether lower-trust input can reach the affected feature. The vulnerability could allow attackers to perform actions that should require stronger authorization, potentially leading to unauthorized operations.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 2026.6.9 or later
- Review and update configurations to ensure lower-trust input is properly validated
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-13T22:16:49.753Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The OpenClaw Feishu tools (npm package @openclaw/feishu) in versions <= 2026.6.6 could ignore per-account disablement, potentially allowing lower-trust callers or configured input paths to perform unauthorized operations.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T22:16:49.753Z and has not been modified since then. The NVD entry is currently Received.