CVE-2026-35626

MEDIUM

OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook

Title source: cna

Description

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.

References (4)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv

[Patch] https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

[Patch] https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook

Scores

CVSS v3 5.3

EPSS 0.0009

EPSS Percentile 24.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-405

Status published

Products (4)

npm/openclaw 0 - 2026.3.22npm

OpenClaw/OpenClaw < 2026.3.22

openclaw/openclaw < 2026.3.22

OpenClaw/OpenClaw 2026.3.22

Published Apr 09, 2026

Tracked Since Apr 10, 2026