CVE-2026-32974
HIGH8.6EPSS 0.06%OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
描述
### Summary Feishu webhook mode allowed deployments that configured only `verificationToken` without `encryptKey`. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary. ### Impact An unauthenticated network attacker who could reach the webhook endpoint could inject forged Feishu events, impersonate senders, and potentially trigger downstream tool execution subject to the local agent policy. ### Affected versions `openclaw` `<= 2026.3.11` ### Patch Fixed in `openclaw` `2026.3.12`. Feishu webhook mode now fails closed unless `encryptKey` is configured, and the webhook transport rejects missing or invalid signatures before dispatch. Update to `2026.3.12` or later and configure `encryptKey` for webhook deployments.
受影響套件(1)
- npm/openclawfrom 0, < 2026.3.12
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32974
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/7844bc89a1612800810617c823eb0c76ef945804
- WEBhttps://github.com/openclaw/openclaw/pull/44087
- WEBhttps://github.com/openclaw/openclaw/releases/tag/v2026.3.12
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj
- WEBhttps://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token