Listen to this Post
The vulnerability exists in the voice-call webhook handler of the Openclaw npm package. Prior to version 2026.3.22, the endpoint would fully buffer incoming HTTP request bodies before verifying the provider’s cryptographic signature. Because signature validation is performed after the body is already read into memory, an attacker can send a series of large, well-formed but unauthenticated requests, each forcing the server to allocate memory and CPU time to parse and discard the payload. Although the exhaustion is bounded (each request is processed before being rejected), a sustained flood of such requests can saturate available resources, leading to denial of service. The flaw is triggered by the absence of pre‑authentication body caps and header‑based gating; the code originally did not enforce size limits or early signature checks. The fix in commit 651dc7450b68a5396a009db78ef9382633707ead restructures the webhook handler to first validate the presence and integrity of the signature header, then impose a shared pre‑auth body size cap, and only after those checks read the request body. This ensures that unauthenticated payloads are discarded early without consuming excessive resources. Regression tests added in webhook.test.ts verify the correct behavior for missing signatures, oversized bodies, and timeouts, confirming that the patch fully closes the vector.
dailycve form
Platform: openclaw npm
Version: < 2026.3.22
Vulnerability: unauthenticated resource exhaustion
Severity: medium
date: 2026-03-26
Prediction: already patched
What Undercode Say:
Check installed version
npm list openclaw
Verify fix presence (fixed >=2026.3.22)
npm view openclaw version
Simulate oversized unauthenticated POST (pre‑patch)
curl -X POST https://target/webhook \
-H “Content-Type: application/json” \
-d @/dev/zero –limit-rate 1M
Upgrade to patched version
npm install [email protected]
How Exploit:
An attacker sends a stream of HTTP POST requests to the voice‑call webhook endpoint, each with a large body (e.g., several megabytes) and no valid provider signature header. The vulnerable server buffers every body fully, performs no early rejection, and only later fails signature verification. By sending many such requests concurrently, memory and CPU are exhausted, causing the service to become unresponsive.
Protection from this CVE
- Upgrade to Openclaw >= 2026.3.22 immediately.
- If upgrade is not possible, deploy a reverse proxy (nginx, HAProxy) to enforce request body size limits (e.g., client_max_body_size 1k) on the webhook route before traffic reaches the application.
- Monitor for anomalous spikes in POST requests to the voice‑call endpoint and rate‑limit unauthenticated traffic.
Impact
Successful exploitation leads to denial of service: the Openclaw instance may become unresponsive, dropping legitimate voice‑call events and potentially affecting all connected services that rely on the webhook. Resource exhaustion is bounded per request but can be sustained indefinitely with minimal attacker bandwidth, disrupting availability until the service is restarted or the attack stops.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

