CVE-2026-44109
Authentication Bypass in OpenClaw Feishu Extension
Publication date: 2026-05-06
Last updated on: 2026-05-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.4.15 and involves an authentication bypass in the Feishu webhook and card-action validation process.
Due to missing encryptKey configuration and blank callback tokens, the system fails open instead of rejecting unauthorized requests.
This allows attackers to bypass signature verification and replay protection mechanisms, enabling them to send unauthenticated requests that reach command dispatch and execute arbitrary commands.
How can this vulnerability impact me? :
The vulnerability can have severe impacts as it allows attackers to execute arbitrary commands without authentication.
This can lead to unauthorized control over the affected system, potentially resulting in data breaches, system compromise, or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-44109 affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthenticated or unsigned Feishu webhook and card-action requests reaching the command dispatch endpoint. Specifically, look for requests that lack proper encryptKey configuration or contain blank callback tokens, as these indicate the fail-open condition exploited by the vulnerability.
Detection can involve inspecting network traffic or logs for webhook requests missing signature verification or replay protection headers.
While no explicit commands are provided in the resources, typical detection commands might include using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to the Feishu webhook endpoints and checking for missing or blank tokens.
- Use tcpdump to capture Feishu webhook traffic: tcpdump -i <interface> -A 'tcp port 80 or 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Inspect captured requests for missing encryptKey or blank callback tokens in the payload or headers.
- Review application logs for any accepted webhook or card-action requests without proper signature verification or with empty tokens.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenClaw to version 2026.4.15 or later, where the vulnerability is patched.
This update enforces fail-closed security measures by requiring an encryptKey for webhook transport initialization, rejecting unsigned webhook requests if no encryption key is present, and dropping card-action events with empty or blank callback tokens before processing.
Additionally, ensure that your configuration does not have missing encryptKey settings and that callback tokens are properly set and validated.
If immediate upgrade is not possible, consider implementing network-level filtering to block unauthenticated or unsigned Feishu webhook requests and monitor for suspicious activity.