Home

Description

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.

PUBLISHED Reserved 2026-04-04 | Published 2026-04-10 | Updated 2026-04-10 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-405 Asymmetric Resource Consumption (Amplification)

Product status

Default status
unaffected

Any version before 2026.3.24
affected

2026.3.24 (semver)
unaffected

References

github.com/...enclaw/security/advisories/GHSA-w6m8-cqvj-pg5v (GitHub Security Advisory (GHSA-w6m8-cqvj-pg5v)) third-party-advisory

www.vulncheck.com/...ia-feishu-webhook-pre-auth-body-parsing (VulnCheck Advisory: OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing) third-party-advisory

cve.org (CVE-2026-35665)

nvd.nist.gov (CVE-2026-35665)

Download JSON