CVE-2026-35664
Received Received - Intake
Authentication Bypass in OpenClaw Raw Card Send Allows Unauthorized Access

Publication date: 2026-04-10

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35664
EUVD
EUVD-2026-21474
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-35664 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.25 and involves an authentication bypass in the raw card send surface. It allows attackers who are not paired recipients to create legacy callback payloads. Essentially, attackers can send raw card commands that bypass device management (DM) pairing restrictions and access callback handling functions without proper authorization.

Impact Analysis

The impact of this vulnerability is that unauthorized attackers can bypass authentication controls and send commands that should only be accessible to paired devices. This can lead to unauthorized actions being performed through the callback handling mechanism, potentially compromising the integrity of the system or application that uses OpenClaw.

Detection Guidance

Detection of this vulnerability involves identifying legacy raw card command payloads in Feishu card interactions that bypass DM pairing restrictions. Specifically, look for card payloads containing unstructured command or text fields such as { command: "/new" } or { text: "/new" } in button values.

A recursive scan of card payloads to detect legacy command values can be performed by checking if the payload contains objects with an 'oc' field that does not match the current FEISHU_CARD_INTERACTION_VERSION and includes non-empty 'command' or 'text' string fields.

While no explicit commands are provided in the resources, detection can be approached by monitoring or logging raw card send traffic for legacy command patterns and verifying if any card buttons trigger unstructured commands instead of structured interaction envelopes.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.3.25 or later, where the vulnerability has been fixed by rejecting legacy raw card command payloads.

The patch enforces that Feishu card buttons triggering text or commands must use structured interaction envelopes containing metadata fields, preventing unpaired recipients from bypassing DM pairing restrictions.

Until the upgrade is applied, monitor and block any raw card commands containing legacy command or text fields in your environment to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35664. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart