GHSA-x4vp-4235-65hg: OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS

March 3, 2026

OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).

References

github.com/advisories/GHSA-x4vp-4235-65hg
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25
github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg

Code Behaviors & Features

Detect and mitigate GHSA-x4vp-4235-65hg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →