Skip to main content

Jwt Attack EUVDEUVD-2026-17013

| CVE-2026-32974 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 07, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 29, 2026 - 13:15 euvd
EUVD-2026-17013
Analysis Generated
Mar 29, 2026 - 13:15 vuln.today
CVE Published
Mar 29, 2026 - 12:44 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.12.

DescriptionCVE.org

OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.

AnalysisAI

Authentication bypass in OpenClaw's Feishu webhook integration (pre-2026.3.12) allows unauthenticated remote attackers to inject forged events and trigger arbitrary downstream tool execution. The vulnerability occurs when administrators configure only verificationToken without encryptKey, enabling attackers to craft malicious webhook payloads that bypass validation. No public exploit identified at time of analysis, though CVSS 8.8 reflects network accessibility (AV:N), zero complexity (AC:L), and no privileges required (PR:N).

Technical ContextAI

OpenClaw implements webhook integration with Feishu (ByteDance's enterprise collaboration platform) using two-tier security: verificationToken for basic request validation and encryptKey for cryptographic payload verification. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature), where the application accepts events authenticated only by verificationToken-a shared secret transmitted in cleartext-without enforcing encryptKey-based HMAC or digital signature verification. When encryptKey is omitted from configuration, attackers can forge valid-appearing webhook requests by simply including the verificationToken, which may be leaked through network traffic inspection, configuration exposures, or social engineering. The affected CPE (cpe:2.3:a:openclaw:openclaw) indicates this is a product-wide architecture flaw rather than version-specific regression.

RemediationAI

Upgrade to OpenClaw version 2026.3.12 or later, which enforces mandatory encryptKey validation for Feishu webhook requests. The patched version rejects webhook events lacking cryptographic signature verification, closing the authentication bypass vector. For environments unable to immediately upgrade, implement compensating controls: configure encryptKey parameter in webhook settings to enable HMAC-based payload authentication, restrict network access to webhook endpoints using firewall rules or reverse proxy ACLs permitting only Feishu server IP ranges, and enable request logging to detect anomalous webhook traffic patterns. Verify remediation by attempting webhook delivery with valid verificationToken but invalid or missing encryptKey-the application should reject the request post-patch. Consult vendor security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj for configuration migration guidance and backward compatibility considerations when enabling encryptKey on existing deployments.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

EUVD-2026-17013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy