HIGHCVE-2026-32980Published 2026-03-29Modified 2026-03-30CNA VulnCheck

CVE-2026-32980: OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request

OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.3.13
Affected Products: 1

Fix available

2026.3.13

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.3.13 (from 0)
Fixed in 2026.3.13

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-jq3f-vjww-8rq7)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request

Metrics

Fix available