OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook...

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.

Basic Information

ID CVE-2026-35665

Source VulnCheck

Published Apr 10, 2026 at 16:03

Modified Apr 10, 2026 at 16:58

Affected Product

Vendor OpenClaw

Product OpenClaw

Affected Versions OpenClaw OpenClaw 0

CWE Classification

CWE-405

References

{
    "lastseen": "",
    "description": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.",
    "published": "2026-04-10T16:03:25.047Z",
    "modified": "2026-04-10T16:58:15.053Z",
    "type": "cve",
    "title": "OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v\nhttps://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing",
    "id": "CVE-2026-35665",
    "bulletinFamily": "",
    "cwe": [
        "CWE-405"
    ],
    "cvelist": null,
    "sourceData": "OpenClaw OpenClaw 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenClaw",
    "version": "0",
    "vendor": "OpenClaw",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing_CVE-2026-35665