CVE-2026-35665

Summary

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.3.24affected
OpenClawOpenClaw2026.3.24unaffected

Weaknesses

  • CWE-405: CWE-405 Asymmetric Resource Consumption (Amplification)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References