CVE-2026-41343

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Apr 23, 2026

Vendor unknown

Description

OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.

References

https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad
https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency