GHSA-m69h-jm2f-2pv8
OpenClaw: Feishu reaction events could bypass group authorization and mention gating
Details
### Summary
A Feishu reaction-originated synthetic event could misclassify a group conversation as `p2p` when the inbound reaction payload omitted `chat_type`. Authorization and mention-gating logic keyed off that incorrect chat type and evaluated the event as a direct message instead of a group message.
### Impact
This could bypass `groupAllowFrom` and `requireMention` protections for reaction-derived events in Feishu group chats.
### Affected versions
`openclaw` `<= 2026.3.11`
### Patch
Fixed in `openclaw` `2026.3.12`. Reaction events now preserve the correct group context before authorization and mention-gate evaluation. Users should update to `2026.3.12` or later.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8 [WEB]
- https://github.com/openclaw/openclaw/pull/44088 [WEB]
- https://github.com/openclaw/openclaw/commit/3e730c0332eb0a3dc9e1e8c29a5f95e933317b41 [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://github.com/openclaw/openclaw/releases/tag/v2026.3.12 [WEB]