Medium severity5.3NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026
CVE-2026-35626
CVE-2026-35626
Description
OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.22 | 2026.3.22 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87nvdPatchWEB
- github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707eadnvdPatchWEB
- github.com/advisories/GHSA-rm59-992w-x2mvghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mvnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35626ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhooknvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.