Main Vulnerability Database Vulnerabilities #VU125159

#VU125159 Improper Verification of Cryptographic Signature in OpenClaw - CVE-2026-32974

Published: April 8, 2026

Vulnerability identifier: #VU125159

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-32974

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote attacker to inject forged Feishu events and impersonate senders.

The vulnerability exists due to improper verification of cryptographic signature in the Feishu webhook endpoint when handling inbound Feishu events with only `verificationToken` configured. A remote attacker can send forged webhook events to inject forged Feishu events and impersonate senders.

Potential downstream tool execution is subject to the local agent policy.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj

#VU125159 Improper Verification of Cryptographic Signature in OpenClaw - CVE-2026-32974

Description

Remediation

External links

Please verify you're human