OpenClaw Resource Exhaustion Vulnerability via Unauthenticated MS Teams Webhook Body Parsing
Vulnerability
A resource exhaustion vulnerability has been identified in OpenClaw versions prior to 2026.3.31. The issue arises because the application processes Microsoft Teams webhook request bodies before validating JSON Web Tokens (JWT). This flaw allows unauthenticated attackers to send malicious webhook payloads that bypass authentication checks and deplete server resources.
Impact
Exploitation of this vulnerability leads to unauthorized resource exhaustion on the server, causing potential denial-of-service conditions.
Reproduction
The vulnerability can be reproduced by sending a Microsoft Teams webhook payload to an OpenClaw server running a vulnerable version. The server will parse the webhook body before performing JWT validation, allowing the payload to bypass authentication and exhaust server resources.
Remediation
Users can upgrade to OpenClaw version 2026.3.31 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.