What is CVE-2026-44109?

CVE-2026-44109 is a critical-severity vulnerability in Openclaw, classified under Initialization of a Resource with an Insecure Default. CVSS score: 9.8/10. Published 2026-05-06.

How severe is CVE-2026-44109?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2026-44109 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Openclaw

CVE-2026-44109

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback toke…

EPSS: 0.002 (39.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.4.15

Weakness classification (CWE)

CWE-1188 — Initialization of a Resource with an Insecure Default

Public proof-of-concept exploits

CryptReaper12/CVE-2026-44109

References

Patch Commit (Patch, patch)
GitHub Security Advisory (GHSA-xh72-v6v9-mwhc) (vendor-advisory, Mitigation, Vendor Advisory)
VulnCheck Advisory: OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-44109?: CVE-2026-44109 is a critical-severity vulnerability in Openclaw, classified under Initialization of a Resource with an Insecure Default. CVSS score: 9.8/10. Published 2026-05-06.
How severe is CVE-2026-44109?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2026-44109 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.