CVE-2026-35626: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling
(updated )
Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion.
References
- github.com/advisories/GHSA-rm59-992w-x2mv
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
- github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead
- github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv
- nvd.nist.gov/vuln/detail/CVE-2026-35626
- www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook
Code Behaviors & Features
Detect and mitigate CVE-2026-35626 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →