Description
OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks.
Published: 2026-04-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Resource Exhaustion (Denial of Service)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from OpenClaw processing Microsoft Teams webhook request bodies before performing JWT validation. An unauthenticated user can send specially crafted payloads that consume excessive CPU or memory, potentially causing a denial of service for legitimate users.

Affected Systems

OpenClaw OpenClaw, any version older than 2026.3.31.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. Because the flaw is exploitable remotely and does not require authentication, the risk of exploitation is significant. No EPSS data is available and the issue is not listed in the CISA KEV catalog, but the attack vector is straightforward: attackers can send malicious Teams webhook payloads to any exposed OpenClaw instance.

Generated by OpenCVE AI on April 29, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later, which includes the fix for unchecked body parsing before JWT validation.
  • Configure the server to enforce authentication (JWT validation) before processing any request bodies, ensuring only authorized requests are parsed.
  • Implement limits on request size or other rate‑limiting controls for incoming webhook payloads to reduce the impact of potential resource exhaustion attempts.

Generated by OpenCVE AI on April 29, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks.
Title OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-408
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T12:16:55.183Z

Reserved: 2026-04-20T14:15:22.223Z

Link: CVE-2026-41405

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:44.090

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses