CVE-2026-44109
CriticalSummary
OpenClaw before version 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
Risk Assessment
This vulnerability poses a serious risk to organizations by allowing attackers to execute arbitrary commands without authorization. This could lead to unauthorized access to systems and data.
Recommendation
It is recommended to update OpenClaw to the latest version to eliminate this vulnerability. Additionally, ensure that encryptKey is configured and that callback tokens are not left blank.
Original NVD description (English source)
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

