Description
OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.
Published: 2026-03-29
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Resource Exhaustion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows unauthenticated attackers to force the OpenClaw server to read and buffer Telegram webhook request bodies before validating the required authentication header. This unvalidated processing consumes memory, socket time, and JSON parsing resources, effectively creating a denial‑of‑service condition. The weakness is a classic resource‑exhaustion flaw, identified as CWE‑770, and can be leveraged by attackers to degrade the availability of services that rely on the webhook endpoint.

Affected Systems

The affected product is OpenClaw by OpenClaw. Versions earlier than 2026.3.13 are vulnerable. No other vendors or products are listed. The vulnerability is tied to the OpenClaw instance that exposes the Telegram webhook endpoint.

Risk and Exploitability

The CVSS score of 8.7 signals a high severity. The lack of an EPSS score means we cannot gauge current exploitation rate from the dataset, but the vulnerability is not yet cataloged under CISA's KEV. The likely attack vector is unauthenticated network requests to the exposed webhook endpoint. An attacker can craft large POST payloads, triggering excessive memory consumption and parsing effort before the authentication header is checked. The exploit requires only network access to the webhook URL; no special credentials are needed. If successful, it can exhaust system resources and lead to denial of service for legitimate users.

Generated by OpenCVE AI on March 29, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.13 or newer
  • Verify that the webhook endpoint checks the x-telegram-bot-api-secret-token header before parsing the request body
  • Monitor traffic to the webhook URL and, if an upgrade cannot be applied immediately, restrict access to trusted IP ranges

Generated by OpenCVE AI on March 29, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jq3f-vjww-8rq7 OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion
History

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.
Title OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T16:02:56.784Z

Reserved: 2026-03-17T11:31:56.955Z

Link: CVE-2026-32980

cve-icon Vulnrichment

Updated: 2026-03-30T16:02:52.460Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T13:17:02.353

Modified: 2026-03-31T17:54:44.507

Link: CVE-2026-32980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:15Z

Weaknesses