CVE-2026-44109

Description

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS — Exploit Prediction

0.0019

Probability of exploitation

0.40%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-1188 CWE-1188

Affected Products

Vendor	Product	Versions
openclaw	openclaw	< 2026.4.15

References

Advisories & Patches

https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc

Other References

https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation

Frequently Asked Questions

What is CVE-2026-44109? +

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. It has a CVSS v3.1 base score of 9.8 (CRITICAL).

How severe is CVE-2026-44109? +

CVE-2026-44109 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0019, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-44109? +

CVE-2026-44109 affects products from openclaw, specifically: openclaw. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-44109? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-8313

An Exposure of Sensitive System Information to an Unauthorized Control Sphere and Initialization of a Resource with an Insecure Default …

CVE-2024-5801

Enabled IP Forwarding feature in B&R Automation Runtime versions before 6.0.2 may allow remote attack-ers to compromise network security by …

CVE-2025-7353

A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific …

CVE-2024-51758

Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the …

CVE-2026-6866

CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when …

CVE-2026-44670

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names …