Vulnerability Description
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.4.15 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a4Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhcMitigationVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-weThird Party Advisory
FAQ
What is CVE-2026-44109?
CVE-2026-44109 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKe...
How severe is CVE-2026-44109?
CVE-2026-44109 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-44109?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.