OpenClaw Denial-of-Service Vulnerability via Pre-Authentication Webhook Body Parsing

A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.3.2. The issue resides in webhook handlers for BlueBubbles and Google Chat, where request bodies are parsed before authentication and signature validation. This flaw allows unauthenticated attackers to send slow or oversized request bodies, exhausting parser resources and degrading service availability.

Impact

Exploitation of this vulnerability leads to a slow-request denial-of-service condition, where the service becomes less responsive or unavailable due to resource exhaustion from parsing delayed or large webhook bodies.

Reproduction

The vulnerability can be reproduced by sending a POST request to the BlueBubbles or Google Chat webhook endpoints with a 'guid' or 'password' query parameter. The request should include a large payload or be sent slowly to bypass the default body read limits, taking advantage of the pre-authentication parsing.

Remediation

Users are advised to upgrade to OpenClaw version 2026.3.2 or later, where this vulnerability has been patched by enforcing authentication before body parsing for the affected webhook handlers.