![[openclaw] OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured](/assets/images/github_com_1773619476257.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 3
[openclaw] OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
By GitHub2026๋
3์ 14์ผ
**[openclaw] OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured**
Summary Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary. Impact An unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy. Affected versions openclaw <= 2026.3.11 Patch Fixed in openclaw 2026.3.12. Feishu webhook mode now fails closed unless encryptKey is configured, and the webhook transport rejects missing or invalid signatures before dispatch...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary. Impact An unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy. Affected versions openclaw <= 2026.3.11 Patch Fixed in openclaw 2026.3.12. Feishu webhook mode now fails closed unless encryptKey is configured, and the webhook transport rejects missing or invalid signatures before dispatch...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.