A critical authentication bypass in OpenClaw's webhook validation allows unauthenticated attackers to execute arbitrary commands on the system.

The application fails to validate webhook signatures when configuration keys are missing, effectively failing open. This allows an unauthenticated attacker to replay requests or bypass signature verification entirely to execute arbitrary commands.

The ability to execute arbitrary commands on the host system represents the highest level of security risk. Given the 9.8 CVSS score, this vulnerability could be leveraged to gain full system control, install malware, or exfiltrate sensitive data.

Immediate Action: Update OpenClaw to version 2026.4.15 or later immediately.

Proactive Monitoring: Review system logs for unauthorized command execution and audit webhook callback patterns.

Compensating Controls: Ensure that all webhook endpoints are protected by robust authentication and signature verification, and use network segmentation to limit the exposure of these endpoints.

Public Exploit Available: false

This is a critical vulnerability that must be addressed immediately. Ensure all instances are patched and that cryptographic keys are properly configured to prevent unauthorized command execution.