CVE-2026-32980
Received Received - Intake
Resource Exhaustion via Unauthenticated Telegram Webhook in OpenClaw

Publication date: 2026-03-29

Last updated on: 2026-03-31

Assigner: VulnCheck

Description
OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32980
EUVD
EUVD-2026-17020
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32980 is a resource exhaustion vulnerability in OpenClaw versions before 2026.3.13. The issue arises because the software reads and buffers the entire Telegram webhook request body before validating the secret token header (x-telegram-bot-api-secret-token). This allows unauthenticated attackers to send POST requests that force the server to consume excessive memory, socket time, and CPU resources due to JSON parsing and buffering operations before any authentication check is performed.

The root cause is that the authentication boundary is checked too late, after the server has already processed potentially large request bodies, enabling attackers to exhaust server resources and potentially cause denial of service.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to exhaust your server's resources such as memory, socket connections, and CPU time. This can lead to degraded performance or denial of service, making your OpenClaw server unavailable or unstable.

Since the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a high risk to availability.

Detection Guidance

This vulnerability can be detected by monitoring for unusual POST requests to the Telegram webhook endpoint that consume excessive server resources such as memory, CPU, or socket time before authentication is validated.

Since the vulnerability involves unauthenticated POST requests that cause resource exhaustion by sending large request bodies, detection can involve inspecting network traffic for POST requests to the webhook URL and checking server logs for high resource usage correlated with these requests.

Commands to help detect this might include:

  • Using network monitoring tools like tcpdump or Wireshark to capture POST requests to the webhook endpoint.
  • Using curl or similar tools to simulate POST requests without the correct `x-telegram-bot-api-secret-token` header and observing server behavior.
  • Checking server resource usage with commands like `top`, `htop`, or `vmstat` during suspected attack periods.
  • Reviewing server logs for repeated 401 Unauthorized responses or unusually large request bodies being processed.
Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.3.13 or later, where the vulnerability is fixed by validating the Telegram webhook secret token before reading or parsing the request body.

This fix ensures that unauthorized requests are rejected immediately with a 401 Unauthorized response, preventing resource exhaustion caused by processing large request bodies from unauthenticated sources.

If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting POST requests to the webhook endpoint, blocking requests missing the correct `x-telegram-bot-api-secret-token` header, or using a web application firewall (WAF) to filter suspicious traffic.

Compliance Impact

CVE-2026-32980 is a resource exhaustion vulnerability that allows unauthenticated attackers to consume excessive server resources by sending POST requests to the Telegram webhook endpoint before authentication validation occurs.

While the vulnerability primarily impacts availability by enabling denial-of-service conditions, there is no direct indication from the provided information that it leads to unauthorized access to sensitive data or breaches of confidentiality or integrity.

Therefore, the vulnerability's impact on compliance with standards like GDPR or HIPAA, which focus on data privacy and protection, is indirect and primarily related to potential service disruption rather than data exposure or unauthorized data processing.

Organizations relying on OpenClaw should consider that denial-of-service incidents can affect availability requirements under such regulations, but no explicit data breach or privacy violation is described in the context of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32980. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart