This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OpenClaw < 2026.4.15 has a critical **Authentication Bypass** in Feishu Webhooks & Card Actions. π **Consequences**: Unauthenticated requests reach the command scheduler.β¦
π‘οΈ **Root Cause**: **CWE-1188** (Insecure Configuration). The system defaults to **allowing** requests (fail-open) instead of rejecting them when `encryptKey` is missing or callback tokens are empty.β¦
π¦ **Affected**: **OpenClaw** versions **before 2026.4.15**. Specifically impacts the **Feishu Webhook** integration and **Card Action** validation modules. If you are running an older version, you are vulnerable.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: With **No Privileges** required (PR:N), hackers can bypass auth checks. They can execute **Arbitrary Commands** on the system.β¦
π **Self-Check**: 1. Check your OpenClaw version (must be < 2026.4.15). 2. Verify if `encryptKey` is configured for Feishu Webhooks. 3. Ensure callback tokens are **not empty**. 4.β¦
β **Official Fix**: **YES**. Patched in version **2026.4.15** and later. π **Patch Commit**: [c8003f1b](https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae).β¦
π οΈ **Workaround (No Patch)**: If you cannot upgrade immediately: 1. **Strictly configure** the `encryptKey`. 2. Ensure **non-empty** callback tokens are set. 3.β¦