OpenClaw, Authentication Bypass in Webhook Handling, CVE-2026-XXXX (Moderate)

Listen to this Post

How the CVE Works

The vulnerability exists in the Feishu webhook handler of OpenClaw versions up to 2026.3.24. In the affected code, the webhook endpoint received an incoming HTTP POST request from Feishu. The handler function first read the incoming request body and immediately attempted to parse it as JSON to extract the necessary fields. This parsing occurred before any verification of the Feishu-provided cryptographic signature. A remote, unauthenticated attacker could exploit this ordering by sending a specially crafted, large, or malformed JSON payload to the webhook URL. Since the signature was not validated first, the server would still allocate resources to fully parse the JSON payload. This created a potential denial-of-service (DoS) condition where repeated, large requests could consume excessive CPU and memory. Furthermore, the attacker could trigger application logic errors or logging based on malformed JSON before being rejected. The fix, implemented in commit 5e8cb221, reverses this process. The raw request body is now read and held. The signature is validated first. Only after successful authentication does the application parse the JSON body, ensuring that unauthenticated requests incur minimal processing cost.
Platform: OpenClaw
Version: <= 2026.3.24
Vulnerability : Authentication Bypass DoS
Severity: Moderate
date: 2026-03-26

Prediction: Fixed 2026-03-29

What Undercode Say:

Simulate vulnerable behavior (pre-patch): Parses JSON first
curl -X POST https://target.com/feishu/webhook \
-H "Content-Type: application/json" \
-d '{"key":"value"}' \
--header "X-Feishu-Signature: invalid"
Verify fix (post-patch): Signature check first
Server should reject with 401/403 before JSON processing
curl -X POST https://target.com/feishu/webhook \
-H "Content-Type: application/json" \
-d '{"key":"value"}' \
--header "X-Feishu-Signature: invalid" \
-w "%{http_code}\n"

Exploit:

Craft oversized JSON payload to exhaust resources before signature rejection.

Protection from this CVE

Upgrade to OpenClaw version 2026.3.25 or commit `5e8cb221`.

Impact:

Remote unauthenticated DoS via resource exhaustion.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top