OpenClaw Nostr Direct Message Handling Pre-Authentication Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.3.22. The issue arises because the application processes cryptographic and dispatch operations on incoming Nostr direct messages before validating the sender and pairing policies. This flaw allows attackers to send crafted direct messages that trigger unauthorized pre-authentication computations, leading to resource exhaustion and potential service disruption.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting system resources, which can lead to degraded performance or unavailability of the service.

Reproduction

The vulnerability can be reproduced by sending direct messages to an OpenClaw instance that is running a version prior to 2026.3.22. The messages should be crafted to exploit the lack of sender policy enforcement, which can be done by bypassing the pairing requirements and forcing the application to perform extensive cryptographic work without authorization. This can be automated with a script or tool that sends multiple messages in a short period, simulating a resource exhaustion attack.

Remediation

Users can upgrade to OpenClaw version 2026.3.22 or later, where this vulnerability has been fixed.