SecuriTricks - CVE-2026-35640

Description

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

Product(s) Impacted

Vendor	Product	Versions
Openclaw	Openclaw	<2026.3.25

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-696

Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	openclaw	openclaw	<2026.3.25	/	/	/	/	/	/	/

References

https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53

https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456

https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing

CVSS Score

6.9 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: LOW
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: April 9, 2026, 10:16 p.m.
Last Modified: April 9, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-35640