Resource exhaustion in OpenClaw - CVE-2026-35665
Published: May 1, 2026
Vulnerability identifier: #VU128732
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35665
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the Feishu webhook handler when processing slow HTTP POST requests before webhook signature verification. A remote attacker can send concurrent slow HTTP POST requests to cause a denial of service.
The issue affects OpenClaw instances running the Feishu channel in webhook mode, and the Feishu webhook endpoint must be publicly accessible for webhook delivery.
How to mitigate CVE-2026-35665
Install security update from vendor's website.