MS Teams webhook in OpenClaw may allow unauthenticated resource exhaustion

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

MS Teams webhook in OpenClaw may allow unauthenticated resource exhaustion

GHSA-p464-m8x6-vhv8

Summary

MS Teams webhooks in OpenClaw versions 2026.3.28 and earlier can be exploited to cause a denial-of-service (resource exhaustion) attack without authenticating the request. This is because the webhook parses the request body before verifying the authentication token, allowing an attacker to send a large request that can cause the system to run out of resources. To fix this, update to version 2026.3.31 or later.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

Original description

## Summary
MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

## Current Maintainer Triage
- Status: open
- Normalized severity: medium
- Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the auth-before-parse fix is not yet shipped.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `3834d47099dd13c8244ed6de8b9ea9855c553623` — 2026-03-30T13:46:40+01:00

OpenClaw thanks @AntAISecurityLab for reporting.

Vulnerability type

CWE-400 Uncontrolled Resource Consumption

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026