From 20f6c6b5440c1df4bb892b10bee83b9926a6e7d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=F0=9F=8E=96Warrior=20=F0=9F=8E=96?= Date: Sat, 14 Mar 2026 23:28:30 +0400 Subject: [PATCH 1/2] Improve GHSA-g353-mgv3-8pcj --- .../2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json b/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json index 78161cce76b83..f554fb52944e3 100644 --- a/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json +++ b/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json @@ -1,11 +1,11 @@ { "schema_version": "1.4.0", "id": "GHSA-g353-mgv3-8pcj", - "modified": "2026-03-13T20:55:34Z", + "modified": "2026-03-13T20:55:35Z", "published": "2026-03-13T20:55:34Z", "aliases": [], "summary": "OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured", - "details": "### Summary\n\nFeishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.\n\n### Impact\n\nAn unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.", + "details": "### Summary\n\nFeishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.\n\n### Impact\n\nAn unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.\n🚀 طريقة الاستخدام:\n# 1. إنشاء الملف\nnano security-fix.sh\n# [الصق المحتوى من الـ Artifact]\n\n# 2. إعطاء صلاحيات التنفيذ\nchmod +x security-fix.sh\n\n# 3. التشغيل\n./security-fix.sh", "severity": [ { "type": "CVSS_V3", From 743675fec64144c0ddc46df8e60391ffbcb4b032 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=F0=9F=8E=96Warrior=20=F0=9F=8E=96?= Date: Sun, 15 Mar 2026 00:08:39 +0400 Subject: [PATCH 2/2] Improve GHSA-g353-mgv3-8pcj --- .../2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json b/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json index f554fb52944e3..9247ce4792d22 100644 --- a/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json +++ b/advisories/github-reviewed/2026/03/GHSA-g353-mgv3-8pcj/GHSA-g353-mgv3-8pcj.json @@ -5,7 +5,7 @@ "published": "2026-03-13T20:55:34Z", "aliases": [], "summary": "OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured", - "details": "### Summary\n\nFeishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.\n\n### Impact\n\nAn unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.\n🚀 طريقة الاستخدام:\n# 1. إنشاء الملف\nnano security-fix.sh\n# [الصق المحتوى من الـ Artifact]\n\n# 2. إعطاء صلاحيات التنفيذ\nchmod +x security-fix.sh\n\n# 3. التشغيل\n./security-fix.sh", + "details": "### Summary\n\nFeishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary.\n\n### Impact\n\nAn unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy.\n\n### Affected versions\n\n`openclaw` `<= 2026.3.11`\n\n### Patch\n\nFixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.\n\n🚀 طريقة الاستخدام:\n# 1. إنشاء الملف\nnano security-fix.sh\n# [الصق المحتوى من الـ Artifact]\n\n# 2. إعطاء صلاحيات التنفيذ\nchmod +x security-fix.sh\n\n# 3. التشغيل\n./security-fix.sh", "severity": [ { "type": "CVSS_V3",