Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw's Webhook Handler Allows Unauthenticated DDoS
GHSA-x4vp-4235-65hg
Summary
OpenClaw's webhook handlers for BlueBubbles and Google Chat allowed unauthenticated clients to send slow or oversized requests, potentially causing a denial of service (DoS). This is fixed in version 2026.3.2. To stay secure, update to this version or later.
What to do
- Update openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.2 |
Original title
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
Original description
## Impact
OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected releases: `<= 2026.3.1`
- Latest published vulnerable version at triage time: `2026.3.1` (npm)
- Fixed release: `2026.3.2` (released)
## Fix Commit(s)
- `d3e8b17aa6432536806b4853edc7939d891d0f25`
## Mitigation
Upgrade to `2026.3.2` (or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage.
OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected releases: `<= 2026.3.1`
- Latest published vulnerable version at triage time: `2026.3.1` (npm)
- Fixed release: `2026.3.2` (released)
## Fix Commit(s)
- `d3e8b17aa6432536806b4853edc7939d891d0f25`
## Mitigation
Upgrade to `2026.3.2` (or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026