CVE-2026-35640

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

15 Apr 2026, 19:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw
References	~~() https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53 -~~	() https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing -~~	() https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing - Third Party Advisory

09 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-09 22:16

Updated : 2026-04-15 19:52

NVD link : CVE-2026-35640

Mitre link : CVE-2026-35640

CVE.ORG link : CVE-2026-35640

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-696

Incorrect Behavior Order

{"id": "CVE-2026-35640", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-09T22:16:33.507", "references": [{"url": "https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456", "tags": ["Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-696"}]}], "descriptions": [{"lang": "en", "value": "OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection."}], "lastModified": "2026-04-15T19:52:39.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AC9C9003-CE72-4BFC-85B4-1E778E125CB1", "versionEndExcluding": "2026.3.25"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}