CVE-2026-32021

描述

### Summary Feishu allowlist authorization could be bypassed by display-name collision. ### Details `channels.feishu.allowFrom` is documented as an ID-based allowlist (open_id list), but Feishu policy matching accepted mutable sender display names in the same namespace. An attacker could set a display name equal to an allowlisted ID string and pass authorization checks. The fix enforces ID-only matching for Feishu allowlist checks, normalizes Feishu ID prefixes during comparison, and ignores mutable display names for authorization. ### Impact Deployments using Feishu allowlist-based authorization could incorrectly authorize non-allowlisted senders when a colliding display name was used. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published version at triage time: `2026.2.21-2` - Affected range: `<= 2026.2.21-2` - Planned patched version: `>= 2026.2.22` ### Fix Commit(s) - `4ed87a667263ed2d422b9d5d5a5d326e099f92c7` ### Release Process Note `patched_versions` is pre-set to the planned next release (`>= 2026.2.22`) so the advisory is ready to publish once that npm release is available. OpenClaw thanks @jiseoung for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.22

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32021
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69
• WEBhttps://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom