CVE-2026-32980

HIGH

OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request

Title source: cna

Description

OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7

[Patch] https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (4)

npm/openclaw 0 - 2026.3.13npm

OpenClaw/OpenClaw < 2026.3.13

openclaw/openclaw < 2026.3.13

OpenClaw/OpenClaw 2026.3.13

Published Mar 29, 2026

Tracked Since Mar 29, 2026