CVE-2026-44993 Overview
CVE-2026-44993 is a message classification vulnerability in OpenClaw versions prior to 2026.4.20. The flaw resides in Feishu card-action callback handling, where the application misclassifies direct messages as group conversations. This misclassification allows attackers to bypass dmPolicy enforcement controls. Restrictive policies intended to block direct message interactions fail to apply when card-action flows are triggered. The weakness is categorized under CWE-184: Incomplete List of Disallowed Inputs.
Critical Impact
Authenticated attackers can bypass direct message policy restrictions in OpenClaw by exploiting card-action callbacks, enabling unauthorized interactions with conversations that should have been blocked.
Affected Products
- OpenClaw (Node.js package) versions before 2026.4.20
- Deployments using Feishu integration with dmPolicy enforcement
- OpenClaw bot instances handling card-action callback flows
Discovery Timeline
- 2026-05-11 - CVE-2026-44993 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44993
Vulnerability Analysis
The vulnerability stems from incorrect conversation type classification within OpenClaw's Feishu integration. When the application processes card-action callbacks, it evaluates the source conversation context to determine whether a message originated from a direct message (DM) or group chat. The classification logic incorrectly labels card-action callbacks initiated within DM contexts as group conversations.
This misclassification causes the dmPolicy enforcement layer to skip the restrictions it would normally apply. Administrators relying on dmPolicy to block bot interactions in direct message channels lose that protection when card actions are involved. The result is a policy bypass that allows actions which should have been denied. The advisory describing this issue is published in the VulnCheck Advisory Analysis and the GitHub Security Advisory GHSA-72q8-jcmc-97wx.
Root Cause
The root cause is incomplete input validation [CWE-184] in the message routing logic. The callback handler does not preserve or re-derive the originating conversation type for card-action events. Because card-action payloads follow a different structure than standard message events, the code path defaults to a group-chat classification. The dmPolicy check evaluates this incorrect classification and permits the action.
Attack Vector
An authenticated user in a Feishu environment can trigger the bypass by interacting with a card delivered through a direct message conversation. When the user clicks a card action, the resulting callback is routed by OpenClaw as if it originated from a group conversation. Policies configured to block DM interactions are not enforced for the resulting handler invocation. Network access to the OpenClaw callback endpoint and low-privilege authentication are required. Exploitation does not require user interaction beyond the attacker's own card interaction.
No public proof-of-concept code is available for this vulnerability. Technical specifics of the fix are documented in the GitHub Commit Update.
Detection Methods for CVE-2026-44993
Indicators of Compromise
- Card-action callbacks in OpenClaw logs where the conversation context indicates a DM but the policy decision recorded group-chat handling.
- Successful bot interactions in direct message conversations that should have been blocked by a configured dmPolicy.
- Unexpected command executions or workflow triggers originating from Feishu card interactions outside approved group channels.
Detection Strategies
- Audit OpenClaw application logs for card-action callback events and correlate the originating chat_type field with the policy decision applied.
- Compare the OpenClaw deployment version against 2026.4.20 and flag any earlier installations as exposed.
- Review Feishu audit logs for card interactions in direct message threads involving bot users governed by restrictive policies.
Monitoring Recommendations
- Enable verbose policy decision logging on OpenClaw to capture the conversation type used during each dmPolicy evaluation.
- Alert on any card-action callback that results in command execution within a direct message conversation.
- Track outbound API calls from OpenClaw to Feishu following card-action events to identify policy-violating responses.
How to Mitigate CVE-2026-44993
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later, which contains the classification fix referenced in commit 90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166.
- Inventory all OpenClaw deployments integrated with Feishu and verify which instances enforce a dmPolicy.
- Restrict network access to OpenClaw callback endpoints to trusted Feishu source ranges until patching is complete.
Patch Information
The upstream fix is available in the GitHub Commit Update and is included in OpenClaw release 2026.4.20. The patch corrects the conversation type classification used by Feishu card-action callbacks so that dmPolicy checks evaluate the true source context. Refer to the GitHub Security Advisory GHSA-72q8-jcmc-97wx for full remediation details.
Workarounds
- Disable Feishu card-action handlers in OpenClaw configuration until the upgrade is applied if dmPolicy enforcement is security-critical.
- Apply equivalent restrictions at the Feishu administrative layer to prevent bot card delivery in direct message channels.
- Limit which users can authenticate to OpenClaw to reduce the population capable of triggering the bypass.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.20
# Verify the installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
