OpenClaw Denial-of-Service Vulnerability via Improper Pending Pairing Request Cap Enforcement
Vulnerability
A denial-of-service vulnerability has been identified in OpenClaw versions 2026.2.26 prior to 2026.3.31. The issue arises because the application enforces pending pairing-request limits per channel file rather than per account. This flaw allows remote attackers to exhaust the shared pending window by submitting pairing requests from other accounts, thereby blocking new pairing challenges on unaffected accounts.
Impact
Exploiting this vulnerability can disrupt the pairing process on accounts that have not yet filled their pending request slots, effectively causing a denial-of-service condition for those accounts.
Reproduction
The vulnerability can be reproduced by sending pairing requests from one account to a channel that is shared with other accounts. This will fill the pending request slot for that channel, blocking new pairing requests on accounts that have not yet filled their slots. The issue can be verified by checking the status of pairing requests for the affected accounts.
Remediation
Users can upgrade to OpenClaw version 2026.3.31 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.