Executive Summary

CVE-2026-35665 is a vulnerability in OpenClaw versions before 2026.3.24 affecting the Feishu webhook handler. The handler accepts HTTP POST request bodies with permissive limits of up to 1MB in size and a 30-second timeout before verifying the request signature. This incomplete fix for a previous vulnerability (CVE-2026-32011) allows an unauthenticated attacker to send slow HTTP POST requests that trickle data very slowly, holding connections open for up to 30 seconds.

By opening multiple concurrent slow connections (around 50), the attacker can exhaust server connection resources, causing legitimate webhook deliveries to be blocked and resulting in a Denial of Service (DoS). No valid webhook signature or credentials are required to exploit this issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) on any OpenClaw instance running the Feishu webhook. An attacker can exhaust server connection resources by sending multiple slow HTTP POST requests concurrently, blocking legitimate webhook deliveries.

• The Feishu webhook endpoint is publicly accessible, making it directly targetable.
• Approximately 50 concurrent slow connections can exhaust server capacity for 30 seconds per attack wave.
• Memory consumption can reach about 50MB per attack wave due to buffering of request bodies.
• No privileges, user interaction, or valid credentials are required to exploit this vulnerability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for multiple concurrent slow HTTP POST requests targeting the Feishu webhook endpoint, typically at the path /feishu/events with Content-Type: application/json.

An attacker exploits the permissive limits by sending slow-body or Slowloris-style requests that trickle data very slowly (e.g., 1 byte per second) for up to 30 seconds, exhausting server connection resources.

To detect such activity, you can use network monitoring tools or commands to identify many simultaneous slow POST connections to the Feishu webhook endpoint.

• Use netstat or ss to check for many open connections to the server on the HTTP port (e.g., 80 or 443) with long durations:
• netstat -anp | grep ':80' | grep ESTABLISHED | wc -l
• ss -tnp state established '( dport = :80 )' | wc -l
• Use tools like tcpdump or Wireshark to capture and analyze HTTP POST requests to /feishu/events and look for slow data transfer patterns.
• Use application logs to identify slow or hanging POST requests to the Feishu webhook endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves reducing the permissive pre-authentication request body size and timeout limits for the Feishu webhook handler to match the stricter limits used by other webhook handlers.

Specifically, configure the Feishu webhook handler to enforce a maximum request body size of 64KB and a timeout of 5 seconds before signature verification.

This change prevents attackers from holding connections open for long periods with slow POST requests, thereby reducing the risk of resource exhaustion and Denial of Service.

Additionally, monitor your server for unusual numbers of slow or hanging connections to the Feishu webhook endpoint and consider implementing rate limiting or connection limits at the network or application level.

Currently, no patched version exists specifically for this issue in the Feishu extension, so manual configuration or code changes are necessary.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0