Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-44109

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

View on NVD

Analysis

OpenClaw is an integration tool for Feishu webhooks which has very limited adoption within the Mexican developer ecosystem compared to Slack or Microsoft Teams. While the vulnerability is critical and allows unauthenticated command execution, the niche nature of the software makes it low priority for this specific community.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-1188

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

Published: 5/6/2026, 8:16:34 PM
Last modified: 5/6/2026, 9:20:52 PM

References

HomeEventsBlogResourcesTeam