Description
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
Published: 2026-05-06
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability enables attackers to send unauthenticated requests to the Feishu webhook or card-action endpoint, bypassing the expected authentication checks. Because the missing or blank encryptKey and callback token values are treated as valid, the request reaches the internal command dispatch and allows arbitrary command execution. This is a classic authentication bypass flaw, classified as CWE‑1188, which can lead to full compromise of the affected system.

Affected Systems

The flaw is present in OpenClaw releases earlier than 2026.4.15. Any deployment that integrates Feishu webhook or card-action functionality and relies on a missing or empty encryptKey configuration, or an unset callback token, is susceptible to the bypass.

Risk and Exploitability

The CVSS score of 9.2 marks it as critical. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the described mechanism, the likely attack vector is remote over the network; an attacker can craft unauthenticated HTTP requests directed at the webhook endpoint to trigger arbitrary commands.

Generated by OpenCVE AI on May 6, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.15 or later to eliminate the flaw.
  • Configure a non‑empty encryptKey for the Feishu webhook integration and ensure callback tokens are properly set.
  • Restrict the webhook endpoint to authenticated traffic or block unauthenticated requests at the network layer.

Generated by OpenCVE AI on May 6, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
Title OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-1188
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-07T12:35:11.405Z

Reserved: 2026-05-05T11:30:46.259Z

Link: CVE-2026-44109

cve-icon Vulnrichment

Updated: 2026-05-07T12:34:52.145Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T20:16:34.620

Modified: 2026-05-06T21:20:52.707

Link: CVE-2026-44109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:15:13Z

Weaknesses