GHSA-w6m8-cqvj-pg5v: OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)

March 30, 2026

The patch for CVE-2026-32011 tightened pre-auth body parsing limits (from 1MB/30s to 64KB/5s) across several webhook handlers. However, the Feishu extension’s webhook handler was not included in the patch and still accepts request bodies with the old permissive limits (1MB body, 30-second timeout) before verifying the webhook signature. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint.

References

github.com/advisories/GHSA-w6m8-cqvj-pg5v
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v
github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg

Code Behaviors & Features

Detect and mitigate GHSA-w6m8-cqvj-pg5v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →