CVE-2026-44109CRITICAL 9.8EPSS p49.0%

CVE-2026-44109CVE-2026-44109

Description

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.72% probability of exploitation · percentile 49.0% · 2026-06-18T12:00:27Z
Published2026-05-06
Last modified2026-05-07

Underlying weaknesses· 1

CWE-1188

References

  1. https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc
  3. https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation

1

TypeTargetConfidenceTier
WeaknessInitialization of a Resource with an Insecure Defaultcwe-11880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32974
CVE
CVE-2026-35652
CVE
CVE-2026-44110
CVE
CVE-2026-28472
CVE
CVE-2026-41394
CVE
CVE-2026-44115
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.