How to fix CVE-2026-44109?

Upgrade to OpenClaw v2026.4.15 or later.

What is CVE-2026-44109?

A critical (CVSS 9.8) authentication bypass in OpenClaw's Feishu/Lark plugin allowing unauthenticated RCE. Patched in v2026.4.15.

How does the Feishu bypass work?

Two fail-open logic inversions: webhook signature validator returns true when encryptKey is missing, card-action replay guard returns true for blank token.

Can CVE-2026-44109 lead to remote code execution?

Yes. With execution tools enabled, injected events trigger arbitrary command execution with OpenClaw process privileges.

← Back to dashboard

clawsmith.com/signal/cve-2026-44109-feishu-webhook-auth-bypass-rce

⚠ IssueWide OpenSecurityLive

CVE-2026-44109: Critical Feishu Webhook Auth Bypass Enables Unauthenticated RCE on OpenClaw (CVSS 9.8)

Two fail-open logic inversions in the Feishu/Lark plugin allow unauthenticated attackers to inject arbitrary events into OpenClaw's command dispatch engine. When execution tools are enabled, this translates to unauthenticated remote code execution. Patched in v2026.4.15.

Product Idea from this Signal

A CLI tool that scans a running OpenClaw instance for active CVEs, malicious skills, and supply chain tampering before they get exploited

807 ▲

OpenClaw has accumulated 433+ CVEs in five months including critical auth bypasses (CVSS 9.8), sandbox escapes, and nation-state supply chain attacks targeting the npm ecosystem. Most operators have no idea which CVEs affect their specific version, whether their installed skills contain backdoors, or if their dependency tree has been tampered with. This tool runs a comprehensive security audit against a live OpenClaw instance and outputs an actionable remediation plan.

CLIOPEN-SOURCESECURITYDEVTOOLAUDIT

CompetitiveView Opportunity →