CVE-2026-32974
Published: 29 March 2026
Summary
CVE-2026-32974 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by restricting permitted actions without full identification and authentication on the public webhook endpoint.
Enforces approved authorizations to block acceptance of forged Feishu events lacking proper verification via encryptKey.
Requires robust identification and authentication for non-organizational entities like Feishu services accessing the webhook.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a network-accessible webhook endpoint, allowing unauthenticated attackers to inject crafted events and trigger arbitrary execution, directly enabling exploitation of a public-facing application (T1190).
NVD Description
OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the…
more
webhook endpoint.
Deeper analysisAI
CVE-2026-32974 is an authentication bypass vulnerability (CWE-347) in OpenClaw versions prior to 2026.3.12. The flaw exists in Feishu webhook mode when only a verificationToken is configured without an encryptKey, allowing the software to accept forged events sent to the webhook endpoint. Published on 2026-03-29, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).
Unauthenticated network-adjacent attackers can exploit this vulnerability by directly reaching the webhook endpoint with crafted Feishu events, bypassing verification and injecting malicious payloads. Successful exploitation enables attackers to trigger arbitrary downstream tool execution, potentially leading to high integrity impacts such as unauthorized actions, alongside low confidentiality and availability effects.
Mitigation details are available in the official GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token. Upgrading to OpenClaw 2026.3.12 or later addresses the issue.
Details
- CWE(s)