CVE-2026-35640 MEDIUM

CVE-2026-35640: OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing

Vendor Openclaw
Product OpenClaw
Weakness CWE-696
Published April 9, 2026
Last update April 10, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 10, 2026 Record updated