GHSA-xh72-v6v9-mwhc: OpenClaw auth bypass enables

Q: Is GHSA-xh72-v6v9-mwhc actively exploited?

No confirmed active exploitation of GHSA-xh72-v6v9-mwhc has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-xh72-v6v9-mwhc?

1. Patch immediately: upgrade openclaw to 2026.4.15. 2. If immediate patching is not feasible, disable Feishu webhook mode or restrict webhook endpoint access to Feishu IP ranges via network ACLs. 3. Ensure `encryptKey` is explicitly set in all Feishu webhook configurations — do not rely on defaults. 4. Review OpenClaw command handler logs for anomalous requests prior to patching (look for webhook calls without valid signatures or with blank callback tokens). 5. Audit all tools and integrations granted to the OpenClaw agent and apply least-privilege to limit blast radius. 6. Search for exposed webhook endpoints via internal asset inventory and external attack surface management tooling.

Q: What systems are affected by GHSA-xh72-v6v9-mwhc?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, enterprise messaging integrations, chatbot/assistant deployments.

Q: What is the CVSS score for GHSA-xh72-v6v9-mwhc?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's Feishu webhook integration fails open when `encryptKey` is not configured — accepting unauthenticated webhook requests and blank card-action callback tokens as valid, routing both directly into command dispatch with no signature or replay protection (CWE-1188, CWE-287, CWE-294). Any OpenClaw deployment using Feishu webhook mode without an explicitly configured `encryptKey` is exposed to network-triggered arbitrary command execution requiring zero credentials. There is no public exploit or KEV listing yet, but the fail-open default makes this trivially exploitable by any attacker who can reach the webhook endpoint — and the same package carries 135 prior CVEs, with AIID #1368 already documenting malicious skill abuse in the OpenClaw ecosystem. Upgrade to OpenClaw 2026.4.15 immediately; if patching is not feasible, disable Feishu webhook mode or restrict the endpoint to Feishu IP ranges via network ACLs.

Sources: GitHub Advisory ATLAS

What is the risk?

Critical risk for any OpenClaw deployment using Feishu webhook mode with a missing encryptKey. The fail-open design requires zero prior access or credentials — an attacker needs only network reachability to the webhook endpoint. Absence of replay protection (CWE-294) compounds the exposure by allowing re-submission of any captured request. The pattern of 135 prior CVEs in this package and recent AIID #1368 documenting active malicious skill abuse in the OpenClaw ecosystem elevates the likelihood this class of vulnerability will be operationalized quickly.

How does the attack unfold?

Discovery

Attacker identifies an OpenClaw deployment using Feishu webhook mode via exposed configuration files in public repositories or network scanning of known webhook endpoint patterns.

AML.T0095.000

Authentication Bypass

Attacker sends a crafted HTTP POST to the Feishu webhook endpoint without a valid HMAC signature; the fail-open transport validation accepts the request because encryptKey is missing.

AML.T0049

Command Dispatch

The unauthenticated request is routed to OpenClaw command dispatch, granting the attacker the ability to invoke any registered agent command or tool without credentials.

AML.T0053

Impact

Attacker executes arbitrary agent commands to exfiltrate credentials from agent configuration, pivot to connected internal services, or manipulate agent behavior for persistence.

AML.T0083

Discovery

Attacker identifies an OpenClaw deployment using Feishu webhook mode via exposed configuration files in public repositories or network scanning of known webhook endpoint patterns.

AML.T0095.000

Authentication Bypass

Attacker sends a crafted HTTP POST to the Feishu webhook endpoint without a valid HMAC signature; the fail-open transport validation accepts the request because encryptKey is missing.

AML.T0049

Command Dispatch

The unauthenticated request is routed to OpenClaw command dispatch, granting the attacker the ability to invoke any registered agent command or tool without credentials.

AML.T0053

Impact

Attacker executes arbitrary agent commands to exfiltrate credentials from agent configuration, pivot to connected internal services, or manipulate agent behavior for persistence.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.15	`2026.4.15`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch immediately: upgrade openclaw to 2026.4.15.
If immediate patching is not feasible, disable Feishu webhook mode or restrict webhook endpoint access to Feishu IP ranges via network ACLs.
Ensure encryptKey is explicitly set in all Feishu webhook configurations — do not rely on defaults.
Review OpenClaw command handler logs for anomalous requests prior to patching (look for webhook calls without valid signatures or with blank callback tokens).
Audit all tools and integrations granted to the OpenClaw agent and apply least-privilege to limit blast radius.
Search for exposed webhook endpoints via internal asset inventory and external attack surface management tooling.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-xh72-v6v9-mwhc?

OpenClaw's Feishu webhook integration fails open when `encryptKey` is not configured — accepting unauthenticated webhook requests and blank card-action callback tokens as valid, routing both directly into command dispatch with no signature or replay protection (CWE-1188, CWE-287, CWE-294). Any OpenClaw deployment using Feishu webhook mode without an explicitly configured `encryptKey` is exposed to network-triggered arbitrary command execution requiring zero credentials. There is no public exploit or KEV listing yet, but the fail-open default makes this trivially exploitable by any attacker who can reach the webhook endpoint — and the same package carries 135 prior CVEs, with AIID #1368 already documenting malicious skill abuse in the OpenClaw ecosystem. Upgrade to OpenClaw 2026.4.15 immediately; if patching is not feasible, disable Feishu webhook mode or restrict the endpoint to Feishu IP ranges via network ACLs.

Is GHSA-xh72-v6v9-mwhc actively exploited?

No confirmed active exploitation of GHSA-xh72-v6v9-mwhc has been reported, but organizations should still patch proactively.

How to fix GHSA-xh72-v6v9-mwhc?

1. Patch immediately: upgrade openclaw to 2026.4.15. 2. If immediate patching is not feasible, disable Feishu webhook mode or restrict webhook endpoint access to Feishu IP ranges via network ACLs. 3. Ensure `encryptKey` is explicitly set in all Feishu webhook configurations — do not rely on defaults. 4. Review OpenClaw command handler logs for anomalous requests prior to patching (look for webhook calls without valid signatures or with blank callback tokens). 5. Audit all tools and integrations granted to the OpenClaw agent and apply least-privilege to limit blast radius. 6. Search for exposed webhook endpoints via internal asset inventory and external attack surface management tooling.

What systems are affected by GHSA-xh72-v6v9-mwhc?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, enterprise messaging integrations, chatbot/assistant deployments.

What is the CVSS score for GHSA-xh72-v6v9-mwhc?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksenterprise messaging integrationschatbot/assistant deployments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Feishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. ## Impact A deployment using Feishu webhook mode without a configured `encryptKey`, or handling malformed card-action callbacks with blank callback tokens, could fail open instead of rejecting the request. Severity remains critical because affected webhook deployments expose a network-triggered path into OpenClaw command handling without the expected Feishu signature or replay protection. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` makes Feishu webhook and card-action validation fail closed. Webhook mode now refuses to start without an `encryptKey`, missing signing configuration returns invalid instead of valid, invalid signatures return `401`, and blank card-action callback tokens are rejected before dispatch. Verified in `v2026.4.15`: - `extensions/feishu/src/monitor.transport.ts` returns invalid when `encryptKey` is missing, refuses webhook mode without `encryptKey`, and rejects invalid signatures before JSON handling. - `extensions/feishu/src/card-action.ts` rejects blank callback tokens in the card-action lifecycle guard. - `extensions/feishu/src/monitor.webhook-security.test.ts` covers missing-`encryptKey` startup and transport rejection. - `extensions/feishu/src/monitor.card-action.lifecycle.test.ts` covers malformed blank-token card actions being dropped before handler dispatch. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `c8003f1b33ed2924be5f62131bd28742c5a41aae` via PR #66707 Thanks to @dhyabi2 for reporting this issue.

Exploitation Scenario

An attacker discovers an OpenClaw deployment using Feishu webhook mode via public GitHub configuration files or exposed webhook URLs. Since no encryptKey is configured, the webhook transport validation returns 'valid' regardless of signature content. The attacker crafts a POST request to the webhook endpoint mimicking a Feishu payload — no valid HMAC required. OpenClaw accepts the request and routes it to command dispatch. The attacker then invokes agent commands to enumerate connected tools, exfiltrate credentials from agent configuration files (AML.T0083), or trigger downstream API calls to pivot into internal systems — closely mirroring the credential exfiltration pattern documented in AIID #1368 but without needing a malicious skill.

Weaknesses (CWE)

CWE-1188 Initialization of a Resource with an Insecure Default Primary CWE-287 Improper Authentication Primary CWE-294 Authentication Bypass by Capture-replay Primary

CWE-1188 — Initialization of a Resource with an Insecure Default: The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Source: MITRE CWE corpus.