CVE-2026-41343
MEDIUMOpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency
Title source: cnaDescription
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-qcc3-jqwp-5vh2)
https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency
Scores
CVSS v3
5.3
EPSS
0.0046
EPSS Percentile
36.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-799
Status
published
Products (4)
npm/openclaw
0 - 2026.3.31npm
OpenClaw/OpenClaw
< 2026.3.31
openclaw/openclaw
< 2026.3.31
OpenClaw/OpenClaw
2026.3.31
Published
Apr 23, 2026
Tracked Since
Apr 24, 2026