CVE-2026-35640

MEDIUM

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

CVSS v3.1 Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Complexity

LOW

Privileges

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Published: 4/9/2026Modified: 4/15/2026

Related Intelligence (0)

No articles currently reference this CVE.

References (3)

https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53Patch https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456Vendor Advisory https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsingThird Party Advisory