CVE-2026-32011
HIGH7.5EPSS 0.09%OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
描述
## Impact OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS). ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected releases: `<= 2026.3.1` - Latest published vulnerable version at triage time: `2026.3.1` (npm) - Fixed release: `2026.3.2` (released) ## Fix Commit(s) - `d3e8b17aa6432536806b4853edc7939d891d0f25` ## Mitigation Upgrade to `2026.3.2` (or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage.
受影響套件(1)
- npm/openclawfrom 0, < 2026.3.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32011
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg
- WEBhttps://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing