CVE-2026-32011: OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
(updated )
OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).
References
- github.com/advisories/GHSA-x4vp-4235-65hg
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25
- github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg
- nvd.nist.gov/vuln/detail/CVE-2026-32011
- www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing
Code Behaviors & Features
Detect and mitigate CVE-2026-32011 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →