CVE-2026-35665
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenClaw | OpenClaw | 0 < 2026.3.24 | affected |
| OpenClaw | OpenClaw | 2026.3.24 | unaffected |
Weaknesses
- CWE-405: CWE-405 Asymmetric Resource Consumption (Amplification)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v
- https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.