Description
OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.
Published: 2026-03-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch to 2026.3.2 or newer
AI Analysis

Impact

OpenClaw installations running a version older than 2026.3.2 are susceptible to a denial‑of‑service attack. The vulnerability resides in the parsing of webhook request bodies for BlueBubbles and Google Chat before performing authentication and signature validation. An unauthenticated attacker can send requests with slow or oversized bodies, exhausting parsing resources and temporarily degrading or denying service to legitimate users. This is identified as a CWE‑770 (Uncontrolled Resource Consumption) and is rated as high severity with a CVSS score of 8.7.

Affected Systems

Affected systems are those running the OpenClaw web application before version 2026.3.2. The vulnerability impacts the webhook handlers responsible for BlueBubbles and Google Chat integrations and is present in all releases prior to the 2026.3.2 update. The vendor product is listed simply as OpenClaw and is distributed as a Node.js application.

Risk and Exploitability

The risk is substantial because the flaw does not require any authentication and can be triggered by any external user capable of reaching the webhook endpoints. Exploitability is straightforward: an attacker crafts slow‑or‑large HTTP request bodies aimed at the webhook URLs, leading to resource exhaustion. The lack of an EPSS score and absence from the CISA KEV catalog does not diminish the theoretical threat, as the CVSS rating remains high and the attack vector is broadly accessible via the public network.

Generated by OpenCVE AI on March 19, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install OpenClaw version 2026.3.2 or newer to remove the vulnerability.
  • If an upgrade is not immediately possible, restrict the size and rate of incoming requests to the BlueBubbles and Google Chat webhook endpoints using network firewalls, reverse‑proxy rate limiting, or application‑level request size checks.

Generated by OpenCVE AI on March 19, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x4vp-4235-65hg OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
History

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.
Title OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T15:04:20.869Z

Reserved: 2026-03-10T19:48:38.210Z

Link: CVE-2026-32011

cve-icon Vulnrichment

Updated: 2026-03-20T15:04:07.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:34.197

Modified: 2026-03-23T18:29:20.040

Link: CVE-2026-32011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:33Z

Weaknesses