CVE-2026-35627
Pre-Auth Resource Exhaustion in OpenClaw Nostr Message Handling
Publication date: 2026-04-09
Last updated on: 2026-04-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.22. The software performs cryptographic and dispatch operations on inbound Nostr direct messages before it validates the sender and pairing policies. This means that attackers can send specially crafted direct messages that trigger unauthorized computations before authentication checks are done.
As a result, attackers can cause a denial of service by exhausting system resources through these pre-authentication computations.
How can this vulnerability impact me? :
The primary impact of this vulnerability is denial of service (DoS). Attackers can exploit it to consume system resources by sending crafted direct messages, which forces the system to perform expensive cryptographic operations before verifying the sender's legitimacy.
This can lead to resource exhaustion, potentially making the service unavailable or degraded for legitimate users.