Scan free
HIGHCVE-2026-32974CVSS 8.6

CVE-2026-32974: Webhook Forgery in openclaw

Platform

nodejs

Component

openclaw

Fixed in

2026.3.12

2026.3.12

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-32974 affects openclaw, a Node.js application, due to a webhook configuration flaw. This vulnerability allows an attacker to inject forged Feishu events, potentially leading to unauthorized actions within connected tools. Versions of openclaw prior to 2026.3.12 are vulnerable, and a patch has been released to address the issue.

Impact and Attack Scenarios

The core of this vulnerability lies in the webhook mode within openclaw. When encryptKey is omitted during configuration, only the verificationToken is used for authentication. This significantly weakens the security boundary, as an attacker can craft malicious Feishu events without proper cryptographic verification. Successful exploitation allows an attacker to impersonate senders and trigger actions within downstream tools, effectively gaining unauthorized control. The blast radius depends on the permissions granted to the openclaw agent and the sensitivity of the tools it interacts with. This is similar to other webhook vulnerabilities where improper validation leads to arbitrary code execution.

Exploitation Context

This CVE was publicly disclosed on 2026-03-13. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, given the need for network access and the potential for detection through monitoring. Public proof-of-concept code is not currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.06% (18% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L8.6HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentopenclaw
Vendorosv
Affected rangeFixed in
0 – 2026.3.122026.3.12
2026.3.12

Weakness Classification (CWE)

CWE-347

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation is to upgrade openclaw to version 2026.3.12 or later, which includes the necessary cryptographic verification. If an immediate upgrade is not feasible, ensure that both verificationToken and encryptKey are configured for all webhook endpoints. Consider implementing a Web Application Firewall (WAF) to filter incoming webhook requests and block those lacking proper encryption. Monitor openclaw logs for suspicious activity, particularly requests originating from unexpected sources. After upgrading, confirm the fix by sending a test Feishu event and verifying that it is properly authenticated and encrypted.

How to fix

Update OpenClaw to version 2026.3.12 or later. Configure encryptKey along with verificationToken to enable proper Feishu webhook verification.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-32974 — Webhook Forgery in openclaw?

CVE-2026-32974 is a HIGH severity vulnerability in openclaw where missing encryption allows forged Feishu events to be accepted, potentially triggering unauthorized actions.

Am I affected by CVE-2026-32974 in openclaw?

You are affected if you are using openclaw versions 2026.3.11 or earlier and have not configured both verificationToken and encryptKey for your webhook endpoints.

How do I fix CVE-2026-32974 in openclaw?

Upgrade openclaw to version 2026.3.12 or later. Ensure both verificationToken and encryptKey are configured for all webhook endpoints.

Is CVE-2026-32974 being actively exploited?

There is currently no indication of active exploitation of CVE-2026-32974.

Where can I find the official openclaw advisory for CVE-2026-32974?

Refer to the openclaw project's release notes and security advisories for details: [https://github.com/your-openclaw-repo/releases](https://github.com/your-openclaw-repo/releases)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs