CVE-2026-32011

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg	Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

23 Mar 2026, 18:29

Type	Values Removed	Values Added
Summary		(es) Versiones de OpenClaw anteriores a 2026.3.2 contienen una vulnerabilidad de denegación de servicio en los manejadores de webhooks para BlueBubbles y Google Chat que analizan los cuerpos de las solicitudes antes de realizar la autenticación y la validación de firma. Atacantes no autenticados pueden explotar esto enviando cuerpos de solicitud lentos o sobredimensionados para agotar los recursos del analizador y degradar la disponibilidad del servicio.
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
References	~~() https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25 -~~	() https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg - Mitigation, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing -~~	() https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing - Third Party Advisory
First Time		Openclaw openclaw Openclaw

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-23 18:29

NVD link : CVE-2026-32011

Mitre link : CVE-2026-32011

CVE.ORG link : CVE-2026-32011

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10