CRITICAL🇵🇱 Wersja polska

CVE-2026-44109

CVSS 9.2v4.0pub. 2026-05-06upd. 2026-05-07

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Openclaw

    APP
    Openclaw
    < 2026.4.15
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-43585CRITICAL9.2PL ✓ten sam produkt

OpenClaw: ominięcie uwierzytelniania przez nieodświeżane tokeny bearer po rotacji SecretRef

CVE-2026-43575CRITICAL9.2PL ✓ten sam produkt

OpenClaw: Authentication Bypass w trasie pomocniczej sandbox noVNC

CVE-2026-43578CRITICAL9.1PL ✓ten sam produkt

OpenClaw: privilege escalation przez pominięcie zdarzeń async exec w heartbeat

CVE-2026-43581CRITICAL9.0PL ✓ten sam produkt

OpenClaw: ekspozycja Chrome DevTools Protocol poza sandbox

CVE-2026-43534CRITICAL9.3PL ✓ten sam produkt

OpenClaw: nieweryfikowane metadane hooków eskalowane do kontekstu systemowego