CVE-2026-32011

HIGH

OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing

Title source: cna

Description

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg

[Patch] https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 24.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

npm/openclaw 0 - 2026.3.2npm

OpenClaw/OpenClaw < 2026.3.2

OpenClaw/OpenClaw 2026.3.2

Published Mar 19, 2026

Tracked Since Mar 20, 2026