OpenClaw Denial-of-Service Vulnerability via Feishu Webhook Pre-Authentication Body Parsing

A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.3.24. The issue arises in the Feishu webhook handler, which allows request bodies of up to 1MB and a 30-second timeout before verifying the webhook signature. This permissive handling enables an unauthenticated attacker to send concurrent slow HTTP POST requests to the Feishu webhook endpoint, exhausting server connection resources and blocking legitimate webhook deliveries.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the server's connection resources are exhausted, causing legitimate Feishu webhook deliveries to be blocked. Each slow HTTP connection can be held open for up to 30 seconds, while the server can buffer up to 1MB per connection, allowing for significant resource consumption.

Reproduction

The vulnerability can be reproduced by sending slow HTTP POST requests to the '/feishu/events' endpoint. This can be done using a script that sends concurrent connections, each trickling data at a rate of 1 byte per second, effectively holding the connection open for the duration of the timeout.

Remediation

Users can upgrade to OpenClaw version 2026.3.24 or later, where this vulnerability has been addressed.