Description
OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.
Published: 2026-03-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenClaw before version 2026.3.12 contains an authentication bypass in Feishu webhook mode. When a verificationToken is configured without an encryptKey, an unauthenticated network attacker can forge Feishu events that the system accepts and forwards. The forged events can trigger configured downstream tools, effectively enabling the attacker to execute arbitrary commands on the host. This flaw compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

All installations of OpenClaw older than 2026.3.12 are affected. The product is the Node.js‑based OpenClaw service that processes Feishu webhook events.

Risk and Exploitability

The vulnerability scores 8.8 on CVSS, indicating high severity. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog, but the lack of required credentials and the controlled nature of the webhook endpoint makes exploitation relatively easy for an attacker with network access. The potential impact of arbitrary command execution is significant, necessitating prompt remediation.

Generated by OpenCVE AI on March 29, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.3.12 or later.
  • If upgrading is not immediately possible, configure an encryptKey in addition to the verificationToken to enable message authentication.
  • Limit inbound traffic to the Feishu webhook endpoint to trusted IP addresses only.
  • Monitor the application logs for unexpected or malformed Feishu events.

Generated by OpenCVE AI on March 29, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g353-mgv3-8pcj OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
History

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.
Title OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-347
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T15:32:23.901Z

Reserved: 2026-03-17T11:31:33.584Z

Link: CVE-2026-32974

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T13:17:01.570

Modified: 2026-03-30T17:13:29.780

Link: CVE-2026-32974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:19Z

Weaknesses