CVE-2026-32980
Published: 29 March 2026
Summary
CVE-2026-32980 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Denial-of-service protection directly prevents resource exhaustion from unauthenticated large POST requests to the webhook endpoint by implementing limits on request size, rate limiting, and connection handling.
Public access protections enforce strict authentication requirements, such as validating the x-telegram-bot-api-secret-token header before buffering or processing request bodies on publicly exposed webhook endpoints.
Flaw remediation ensures timely patching to OpenClaw 2026.3.13 or later, which fixes the vulnerability by validating the authentication token before reading and buffering webhook request bodies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes unauthenticated remote requests to a public webhook endpoint that force memory allocation, socket holding, and expensive JSON parsing before any auth check, directly enabling repeated requests to exhaust application resources and cause DoS. This precisely matches the definition and examples of T1499.003 Application Exhaustion Flood.
NVD Description
OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing…
more
work before authentication validation occurs.
Deeper analysisAI
CVE-2026-32980 is a resource exhaustion vulnerability (CWE-770) affecting OpenClaw versions prior to 2026.3.13. The flaw occurs because the software reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header. This design allows unauthenticated POST requests to the webhook endpoint to trigger memory consumption, socket timeouts, and JSON parsing operations prior to any authentication checks. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact denial-of-service potential with network accessibility and no privileges required.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted POST requests to the exposed webhook endpoint. Each request forces the server to allocate memory for buffering large request bodies, hold open sockets, and perform computationally expensive JSON parsing before the invalid token is checked and rejected. Repeated requests enable resource exhaustion, potentially leading to service degradation or complete denial of service on affected OpenClaw deployments handling Telegram webhooks.
Mitigation is addressed in OpenClaw version 2026.3.13 and later, as detailed in the project's GitHub security advisory (GHSA-jq3f-vjww-8rq7) and corresponding patch commit (7e49e98f79073b11134beac27fdff547ba5a4a02). Security practitioners should upgrade to the fixed version immediately and review webhook endpoint exposures. Additional analysis is available in the Vulncheck advisory on unauthenticated Telegram webhook resource exhaustion.
Details
- CWE(s)