GHSA-x4vp-4235-65hg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x4vp-4235-65hg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x4vp-4235-65hg/GHSA-x4vp-4235-65hg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x4vp-4235-65hg
- Aliases
- Downstream
- Published
- 2026-03-03T21:18:39Z
- Modified
- 2026-03-20T21:18:51.341802Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
- Details
-
Impact
OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).
Affected Packages / Versions
- Package:
openclaw(npm) - Affected releases:
<= 2026.3.1 - Latest published vulnerable version at triage time:
2026.3.1(npm) - Fixed release:
2026.3.2(released)
Fix Commit(s)
d3e8b17aa6432536806b4853edc7939d891d0f25
Mitigation
Upgrade to
2026.3.2(or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage. - Package:
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-400", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2026-03-03T21:18:39Z", "nvd_published_at": "2026-03-19T22:16:34Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg
- https://nvd.nist.gov/vuln/detail/CVE-2026-32011
- https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw