GHSA-3h52-cx59-c456

Suggest an improvement
Source
https://github.com/advisories/GHSA-3h52-cx59-c456
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3h52-cx59-c456/GHSA-3h52-cx59-c456.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3h52-cx59-c456
Published
2026-03-29T15:48:58Z
Modified
2026-03-29T16:04:55.082015Z
Summary
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
Details

Summary

Feishu webhook reads and parses unauthenticated request bodies before signature validation

Affected Packages / Versions

  • Package: openclaw
  • Affected versions: <= 2026.3.24
  • First patched version: 2026.3.25
  • Latest published npm version at verification time: 2026.3.24

Details

Feishu webhook handling previously parsed JSON before signature validation, which let unauthenticated callers force full JSON parsing work before rejection. Commit 5e8cb22176e9235e224be0bc530699261eb60e53 reads the raw request body, validates the signature first, and only then parses JSON.

Verified vulnerable on tag v2026.3.24 and fixed on main by commit 5e8cb22176e9235e224be0bc530699261eb60e53.

Fix Commit(s)

  • 5e8cb22176e9235e224be0bc530699261eb60e53
Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-29T15:48:58Z",
    "severity": "MODERATE"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.3.28

Database specific

last_known_affected_version_range 
"<= 2026.3.24"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3h52-cx59-c456/GHSA-3h52-cx59-c456.json"