GHSA-2hv5-4h3g-4hjv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2hv5-4h3g-4hjv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2hv5-4h3g-4hjv/GHSA-2hv5-4h3g-4hjv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2hv5-4h3g-4hjv
- Downstream
- Withdrawn
- 2026-05-04T21:55:37Z
- Published
- 2026-04-24T00:31:51Z
- Modified
- 2026-05-05T15:59:46.095563Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Duplicate Advisory: OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6336-qqw9-v6x6. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-04T21:55:37Z", "cwe_ids": [ "CWE-799" ], "severity": "MODERATE", "nvd_published_at": "2026-04-23T22:16:40Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2
- https://nvd.nist.gov/vuln/detail/CVE-2026-41343
- https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad
- https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw