CVE-2026-35664
Authentication Bypass in OpenClaw Raw Card Send Allows Unauthorized Access
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.25 and involves an authentication bypass in the raw card send surface. It allows attackers who are not paired recipients to create legacy callback payloads. Essentially, attackers can send raw card commands that bypass device management (DM) pairing restrictions and access callback handling functions without proper authorization.
How can this vulnerability impact me? :
The impact of this vulnerability is that unauthorized attackers can bypass authentication controls and send commands that should only be accessible to paired devices. This can lead to unauthorized actions being performed through the callback handling mechanism, potentially compromising the integrity of the system or application that uses OpenClaw.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-35664 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying legacy raw card command payloads in Feishu card interactions that bypass DM pairing restrictions. Specifically, look for card payloads containing unstructured command or text fields such as { command: "/new" } or { text: "/new" } in button values.
A recursive scan of card payloads to detect legacy command values can be performed by checking if the payload contains objects with an 'oc' field that does not match the current FEISHU_CARD_INTERACTION_VERSION and includes non-empty 'command' or 'text' string fields.
While no explicit commands are provided in the resources, detection can be approached by monitoring or logging raw card send traffic for legacy command patterns and verifying if any card buttons trigger unstructured commands instead of structured interaction envelopes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenClaw to version 2026.3.25 or later, where the vulnerability has been fixed by rejecting legacy raw card command payloads.
The patch enforces that Feishu card buttons triggering text or commands must use structured interaction envelopes containing metadata fields, preventing unpaired recipients from bypassing DM pairing restrictions.
Until the upgrade is applied, monitor and block any raw card commands containing legacy command or text fields in your environment to reduce the risk of exploitation.