CVE-2026-32011

7.5 HIGH

Published: March 19, 2026 Modified: March 19, 2026

Description

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25

Source: disclosure@vulncheck.com

https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg

Source: disclosure@vulncheck.com

https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing

Source: disclosure@vulncheck.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.5 / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-770

Related CVEs

CVE-2026-4478 8.1

CVE-2026-4477 3.1

CVE-2026-4476 6.3

CVE-2026-4475 8.8

CVE-2026-4474 2.4