GHSA-2hv5-4h3g-4hjv: Duplicate Advisory: OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6336-qqw9-v6x6. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.
References
- github.com/advisories/GHSA-2hv5-4h3g-4hjv
- github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad
- github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2
- nvd.nist.gov/vuln/detail/CVE-2026-41343
- www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency
Code Behaviors & Features
Detect and mitigate GHSA-2hv5-4h3g-4hjv with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →