Listen to this Post
The vulnerability exists in Feishu webhook mode of OpenClaw versions prior to 2026.4.15. Two fail-open flaws combine to allow unauthenticated command dispatch. First, the webhook transport accepts a missing `encryptKey` configuration as valid – the system starts without any signing key, treating all incoming requests as legitimate. Second, the card-action lifecycle handler accepts blank callback tokens as usable tokens, bypassing replay protection. An attacker can send a crafted HTTP request to the Feishu webhook endpoint. Because no `encryptKey` is required, the request skips signature verification. Additionally, if the request includes a card-action with an empty callback token, the guard logic fails to reject it. The vulnerable code paths in `monitor.transport.ts` return `invalid` only when `encryptKey` is present but incorrect; missing key returns valid. In card-action.ts, blank tokens pass the lifecycle check. This allows an unauthenticated attacker to trigger command dispatch without any signature or token validation, leading to remote code execution on the affected OpenClaw instance. The fix in v2026.4.15 makes validation fail closed: webhook mode refuses to start without encryptKey, missing config returns invalid, invalid signatures return 401, and blank callback tokens are rejected before dispatch.
DailyCVE Form:
Platform: OpenClaw
Version: < 2026.4.15
Vulnerability: Missing encryptKey validation
Severity: Critical
date: 2026-04-15
Prediction: already patched
What Undercode Say:
Check if running vulnerable version
openclaw --version | grep -E "2026.4.(1[0-4]|[0-9])"
Verify encryptKey presence in Feishu config
grep -A5 "feishu:" config.yaml | grep "encryptKey"
Test blank callback token (example curl)
curl -X POST http://target/webhook/feishu \
-H "Content-Type: application/json" \
-d '{"callback_token": ""}'
Exploit:
Send unauthenticated POST request to `/webhook/feishu` with empty `encryptKey` header and blank `callback_token` in JSON body to trigger command dispatch without signature.
Protection from this CVE
Upgrade to OpenClaw v2026.4.15 or later. If upgrade impossible, manually add `encryptKey` to Feishu config and restart; reject blank tokens via reverse proxy rule.
Impact:
Unauthenticated remote command execution, full compromise of OpenClaw instance, lateral movement potential, data breach.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

