CVE-2026-35640
Denial of Service via JSON Parsing in OpenClaw Webhooks
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.25. The software parses JSON request bodies before validating webhook signatures, which allows unauthenticated attackers to send malicious webhook requests. These requests force the server to perform resource-intensive JSON parsing operations before rejecting the request based on an invalid signature.
As a result, attackers can trigger a denial of service (DoS) by exhausting server resources through these forced parsing operations.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition. Remote attackers can exploit it to exhaust server resources by sending malicious webhook requests that trigger expensive JSON parsing before signature validation.
This can lead to degraded performance or unavailability of the affected OpenClaw service, potentially disrupting normal operations.