CVE-2026-35626

MEDIUM

OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook

Title source: cna

Description

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.

References (4)

Core 4

Core References

Third Party Advisory third-party-advisory

GitHub Security Advisory (GHSA-rm59-992w-x2mv)

https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv

Patch patch

Patch Commit #1

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

View Patch ZIP pw:eip

Patch patch

Patch Commit #2

https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook

https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook

Scores

CVSS v3 5.3

EPSS 0.0049

EPSS Percentile 38.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-405

Status published

Products (4)

npm/openclaw 0 - 2026.3.22npm

OpenClaw/OpenClaw < 2026.3.22

openclaw/openclaw < 2026.3.22

OpenClaw/OpenClaw 2026.3.22

Published Apr 09, 2026

Tracked Since Apr 10, 2026