Skip to main content

Google CVE-2026-32011

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-19 disclosure@vulncheck.com GHSA-x4vp-4235-65hg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 22:30 vuln.today
CVE Published
Mar 19, 2026 - 22:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on openclaw (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.2.

DescriptionCVE.org

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.

AnalysisAI

OpenClaw webhook handlers for BlueBubbles and Google Chat prior to version 2026.3.2 fail to validate authentication before parsing request bodies, allowing unauthenticated remote attackers to trigger denial of service by sending maliciously crafted or oversized payloads. Successful exploitation exhausts parser resources and degrades service availability, with no patch currently available. The vulnerability affects all Google products using the vulnerable OpenClaw versions.

Technical ContextAI

The vulnerability stems from improper resource consumption control (CWE-770) in webhook endpoint implementations. OpenClaw is an open-source project that provides webhook integration services for various chat platforms including BlueBubbles and Google Chat. The flawed design performs computationally expensive body parsing operations on incoming HTTP requests before verifying authentication tokens or request signatures, violating the principle of fail-fast security checks. This allows attackers to consume server resources without valid credentials by sending malformed, oversized, or deliberately slow request payloads.

RemediationAI

Upgrade OpenClaw to version 2026.3.2 or later which contains the security fix documented at https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg. If immediate patching is not possible, implement rate limiting and request size restrictions at the reverse proxy or load balancer level to mitigate resource exhaustion attacks. Consider restricting webhook endpoint access to trusted IP ranges or implementing API gateway protection. Monitor webhook endpoints for unusual request patterns or resource consumption spikes that may indicate exploitation attempts.

Share

CVE-2026-32011 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy