CVE-2026-35626

MEDIUM 5.3

OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook

CVSS Score

5.3

EPSS Score

0.1%

EPSS Percentile

20th

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.

CWE	CWE-405
Vendor	openclaw
Product	openclaw
Published	Apr 9, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

OpenClaw / OpenClaw

0 < 2026.3.22

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv github.com: https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87 github.com: https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead vulncheck.com: https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook

Credits

🔍 Seokjun Ryu (@SEORY0)