Cyber Resilience

CVE-2026-32974

HighPublic PoC

Published: 29 March 2026

Published
29 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 15.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32974 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-32974 is an authentication bypass vulnerability (CWE-347) in OpenClaw versions prior to 2026.3.12. The flaw exists in Feishu webhook mode when only a verificationToken is configured without an encryptKey, allowing the software to accept forged events sent to the webhook endpoint. Published on 2026-03-29, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).

Unauthenticated network-adjacent attackers can exploit this vulnerability by directly reaching the webhook endpoint with crafted Feishu events, bypassing verification and injecting malicious payloads. Successful exploitation enables attackers to trigger arbitrary downstream tool execution, potentially leading to high integrity impacts such as unauthorized actions, alongside low confidentiality and availability effects.

Mitigation details are available in the official GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token. Upgrading to OpenClaw 2026.3.12 or later addresses the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the…

more

webhook endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a network-accessible webhook endpoint, allowing unauthenticated attackers to inject crafted events and trigger arbitrary execution, directly enabling exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-43573Same product: Openclaw Openclaw
CVE-2026-35622Same product: Openclaw Openclaw
CVE-2026-28469Same product: Openclaw Openclaw
CVE-2026-22171Same product: Openclaw Openclaw
CVE-2026-28472Same product: Openclaw Openclaw
CVE-2026-41395Same product: Openclaw Openclaw
CVE-2026-32975Same product: Openclaw Openclaw
CVE-2026-28450Same product: Openclaw Openclaw
CVE-2026-32045Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by restricting permitted actions without full identification and authentication on the public webhook endpoint.

prevent

Enforces approved authorizations to block acceptance of forged Feishu events lacking proper verification via encryptKey.

prevent

Requires robust identification and authentication for non-organizational entities like Feishu services accessing the webhook.

References