CVE-2026-35640

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Apr 09, 2026

Vendor unknown

Description

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

References

https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53
https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing