OpenClaw Resource Exhaustion Vulnerability in Voice Call Webhook Handling
Vulnerability
A resource exhaustion vulnerability has been identified in OpenClaw versions prior to 2026.3.22. This vulnerability allows unauthenticated attackers to exhaust server resources by sending large or malicious webhook requests that bypass provider signature validation. The issue arises because the voice call webhook buffers request bodies before checking signatures, enabling attackers to exploit the vulnerability without authentication.
Impact
Exploitation of this vulnerability leads to a denial-of-service condition, where server resources are consumed by processing large or numerous webhook requests, potentially causing service degradation or interruption.
Reproduction
The vulnerability can be reproduced by sending a webhook request to the voice call webhook endpoint without the required provider signature headers. The request can include a large payload that takes advantage of the buffered body reading, bypassing the signature verification and causing resource exhaustion.
Remediation
Users can upgrade to OpenClaw version 2026.3.22 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.