CVE-2026-35640

MEDIUM

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

CVSS v3.1 Score

5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Published: 4/9/2026Modified: 4/15/2026

Related Intelligence (1)

HIGHVulnerability

NVD HIGH: CVE-2026-35640 — OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook s...

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

CVE-2026-35640
NIST NVD

References (3)

https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53Patchhttps://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456Vendor Advisoryhttps://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsingThird Party Advisory