CVE-2026-44109

CRITICAL

OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-44109. PoCs published by CryptReaper12.

AI-analyzed exploit summary The repository claims to exploit CVE-2026-44109 in OpenClaw but lacks actual exploit code, instead redirecting users to an external download link (tinyurl). The README provides minimal technical details and reads like a sales pitch.

Description

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

Exploits (1)

nomisec SUSPICIOUS

by CryptReaper12 · poc

https://github.com/CryptReaper12/CVE-2026-44109

View Code ZIP pw:eip

The repository claims to exploit CVE-2026-44109 in OpenClaw but lacks actual exploit code, instead redirecting users to an external download link (tinyurl). The README provides minimal technical details and reads like a sales pitch.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: OpenClaw < 2026.4.15

No auth needed

Prerequisites: none specified

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 07, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

GitHub Security Advisory (GHSA-xh72-v6v9-mwhc)

https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc

Patch patch

Patch Commit

https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation

https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-feishu-webhook-and-card-action-validation

Scores

CVSS v3 9.8

EPSS 0.0019

EPSS Percentile 40.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-1188

Status published

Products (4)

npm/openclaw 0 - 2026.4.15npm

OpenClaw/OpenClaw < 2026.4.15

openclaw/openclaw < 2026.4.15

OpenClaw/OpenClaw 2026.4.15

Published May 06, 2026

Tracked Since May 07, 2026