Improper Verification of Cryptographic Signature in OpenClaw - CVE-2026-32974

 

Improper Verification of Cryptographic Signature in OpenClaw - CVE-2026-32974

Published: April 8, 2026


Vulnerability identifier: #VU125159
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-32974
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to inject forged Feishu events and impersonate senders.

The vulnerability exists due to improper verification of cryptographic signature in the Feishu webhook endpoint when handling inbound Feishu events with only `verificationToken` configured. A remote attacker can send forged webhook events to inject forged Feishu events and impersonate senders.

Potential downstream tool execution is subject to the local agent policy.


How to mitigate CVE-2026-32974

Install security update from vendor's website.

Sources