OpenClaw Resource Exhaustion Vulnerability via Unauthenticated Telegram Webhook Request

A resource exhaustion vulnerability has been identified in OpenClaw versions prior to 2026.3.13. The issue arises because the application reads and buffers Telegram webhook request bodies before validating the 'x-telegram-bot-api-secret-token' header. This flaw allows unauthenticated attackers to exhaust server resources by sending POST requests to the webhook endpoint. The server consumes memory, socket time, and processes JSON data before authentication is validated, creating a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to excessive memory consumption, increased socket time, and unnecessary JSON parsing, causing a denial-of-service condition on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the Telegram webhook endpoint with a payload that approaches the maximum body limit. Omit the 'x-telegram-bot-api-secret-token' header or use an incorrect value. The server will process the request body before rejecting the authentication, allowing for resource exhaustion.

Remediation

Users can upgrade to OpenClaw version 2026.3.13 or later, which addresses the vulnerability by validating the Telegram webhook secret before reading and parsing the request body.