Description
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service via Resource Exhaustion
Action: Patch
AI Analysis

Impact

At the time of processing, OpenClaw executes cryptographic and dispatch procedures on inbound Nostr direct messages before validating the sender and pairing policy. As a result, an attacker can send specially crafted DM messages to trigger unauthorized pre‑authentication computation, consuming significant CPU and memory resources and causing the service to become unavailable. This vulnerability is a classic Denial of Service scenario that affects confidentiality and integrity only if the attacker can also gain access after the exhaustion, which the description does not indicate.

Affected Systems

The affected vendor is OpenClaw, product OpenClaw. All releases prior to version 2026.3.22 are affected. No other vendor products are listed.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The attack does not require authentication and relies on sending malformed DM messages over the network, making it relatively easy to exploit for anyone with network access to the Nostr endpoint. EPSS information is unavailable, and the vulnerability is not cataloged in CISA’s KEV database. Because the impact is limited to service availability, the broader threat is a denial of service rather than data compromise.

Generated by OpenCVE AI on April 9, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade OpenClaw to version 2026.3.22 or later
  • If an immediate patch is not available, restrict or throttle inbound Nostr DM traffic to prevent resource exhaustion
  • Verify the application of the update and monitor system performance for signs of denial of service

Generated by OpenCVE AI on April 9, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.
Title OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-696
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-10T12:32:16.991Z

Reserved: 2026-04-04T12:29:42.738Z

Link: CVE-2026-35627

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:31.240

Modified: 2026-04-09T22:16:31.240

Link: CVE-2026-35627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:35Z

Weaknesses