OpenClaw Authentication Bypass Vulnerability in Feishu Webhook and Card-Action Validation

An authentication bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.15. This vulnerability exists in the Feishu webhook and card-action validation processes, allowing unauthenticated requests to bypass signature verification and replay protection, ultimately reaching the command dispatch system. The issue arises because the Feishu integration can accept requests without a proper 'encryptKey' and allows blank callback tokens to be used, creating a fail-open scenario. As a result, attackers can exploit this vulnerability to execute arbitrary commands on the affected system.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution within the OpenClaw application, bypassing normal authentication and validation mechanisms.

Reproduction

To reproduce this vulnerability, deploy OpenClaw version prior to 2026.4.15 and configure a Feishu webhook without an 'encryptKey'. Additionally, send card-action events with blank callback tokens. The application will accept these requests and dispatch them as if they were properly authenticated and validated, demonstrating the authentication bypass.

Remediation

Users can upgrade to OpenClaw version 2026.4.15 or later, which addresses this vulnerability by ensuring that the Feishu webhook requires a valid 'encryptKey' and rejects blank callback tokens before processing card-action events.