CVE-2026-35626
Unauthenticated Resource Exhaustion in OpenClaw Voice Webhook Handling
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.22 and involves an unauthenticated resource exhaustion issue in the handling of voice call webhooks.
Specifically, the system buffers the entire request bodies of webhook calls before verifying the provider's signature, allowing attackers to send large or malicious webhook requests without authentication.
By bypassing signature validation, attackers can exhaust server resources, potentially leading to denial of service.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to exhaust server resources through unauthenticated large or malicious webhook requests.
The result could be degraded performance or denial of service, affecting the availability of the OpenClaw service.