Home / Vulnerability Intelligence / CVE-2026-32974

CVE-2026-32974 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: March 29, 2026

OpenClaw - Authentication Bypass

Published: March 29, 2026Updated: March 29, 2026Remote Exploitable

Overview

OpenClaw < 2026.3.12 contains an authentication bypass caused by missing encryptKey in Feishu webhook mode, letting unauthenticated attackers inject forged events and trigger downstream tool execution, exploit requires network access to webhook endpoint.

Severity & Score

Severity: High

CVSS Score: 8.6

Impact

Unauthenticated attackers can inject forged events and trigger execution of downstream tools, potentially leading to unauthorized actions.

Mitigation

Update to version 2026.3.12 or later.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj
https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32974
Severity: High
CVSS Score: 8.6
Type: broken_authentication
Status: new

CWE

CWE-347

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L