CVE-2026-41343 | THREATINT

Description

OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-23 | Updated 2026-04-24 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

Improper Control of Interaction Frequency

Product status

Default status

unaffected

Any version before 2026.3.31

affected

2026.3.31 (semver)

unaffected

Credits

Nathan (@nexrin) reporter

KeenSecurityLab finder

References

github.com/...enclaw/security/advisories/GHSA-qcc3-jqwp-5vh2 (GitHub Security Advisory (GHSA-qcc3-jqwp-5vh2)) vendor-advisory

github.com/...ommit/57c47d8c7fbf5a2e70cc4dec2380977968903cad (Patch Commit) patch

www.vulncheck.com/...ne-webhook-handler-pre-auth-concurrency (VulnCheck Advisory: OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency) third-party-advisory

cve.org (CVE-2026-41343)

nvd.nist.gov (CVE-2026-41343)

Download JSON