Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.2
CVE-2026-44109: OpenClaw before 2026.4.15: Unauthenticated Access to Commands
CVE-2026-44109
Summary
OpenClaw versions prior to 2026.4.15 have a security weakness that allows unauthorized users to execute commands without proper authorization. This means that sensitive data and operations can be accessed and manipulated by anyone who knows how to exploit this weakness. To protect your system, update to the latest version of OpenClaw as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| openclaw | openclaw |
< 2026.4.15 cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* |
Original title
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryp...
Original description
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.2
Vulnerability type
CWE-1188
Published: 6 May 2026 · Updated: 1 Jun 2026 · First seen: 7 May 2026