OpenClaw Denial-of-Service Vulnerability via Unauthenticated Webhook Request Parsing

A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.3.25. The issue arises because the application processes JSON request bodies for Feishu webhooks before validating the authenticity of the signatures. This flaw allows unauthenticated attackers to send malicious webhook requests that force the server to engage in resource-intensive JSON parsing. As a result, server resources can be exhausted, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by overwhelming server resources with forced JSON parsing operations, before the webhook signatures are validated and any invalid requests are rejected.

Reproduction

The vulnerability can be reproduced by sending a Feishu webhook request with an invalid JSON payload to an OpenClaw server running a vulnerable version. The server will parse the JSON before rejecting the signature, allowing the invalid request to consume server resources.

Remediation

Users can upgrade to OpenClaw version 2026.3.25 or later to address this vulnerability.