CVE-2026-41343

MEDIUM

OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency

Title source: cna

Description

OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2

[Patch] https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency

Scores

CVSS v3 5.3

EPSS 0.0009

EPSS Percentile 25.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-799

Status published

Products (2)

OpenClaw/OpenClaw < 2026.3.31

OpenClaw/OpenClaw 2026.3.31

Published Apr 23, 2026

Tracked Since Apr 24, 2026