CVE-2026-44993

MEDIUM NVD

CVSS Score 5.4

Severity MEDIUM

Published May 11, 2026

Vendor unknown

Description

OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been blocked by restrictive policies.

References

https://github.com/openclaw/openclaw/commit/90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166
https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx
https://www.vulncheck.com/advisories/openclaw-direct-message-misclassification-in-feishu-card-actions