CVE-2026-44109

OpenClaw CVE-2026-44109 affects OpenClaw prior to 2026.4.15, with an authentication bypass in Feishu webhook and card-action validation. The issue arises from a missing encryptKey configuration and blank callback tokens that fail open, allowing unauthenticated requests to reach command dispatch a...

CVE-2026-44109 OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling...

Insecure Default Initialization of Resource

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via improper validation of the encryptKey configuration and blank callback tokens. An attacker can ga...

PT-2026-38242

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.15 Description An authentication bypass exists in the Feishu webhook and card-action validation. When the encryptKey configuration is missing or callback tokens are blank, the system fails open rather than...