Google
CVE-2026-32011
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 4 npm packages depend on openclaw (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.2.
DescriptionCVE.org
OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.
AnalysisAI
OpenClaw webhook handlers for BlueBubbles and Google Chat prior to version 2026.3.2 fail to validate authentication before parsing request bodies, allowing unauthenticated remote attackers to trigger denial of service by sending maliciously crafted or oversized payloads. Successful exploitation exhausts parser resources and degrades service availability, with no patch currently available. The vulnerability affects all Google products using the vulnerable OpenClaw versions.
Technical ContextAI
The vulnerability stems from improper resource consumption control (CWE-770) in webhook endpoint implementations. OpenClaw is an open-source project that provides webhook integration services for various chat platforms including BlueBubbles and Google Chat. The flawed design performs computationally expensive body parsing operations on incoming HTTP requests before verifying authentication tokens or request signatures, violating the principle of fail-fast security checks. This allows attackers to consume server resources without valid credentials by sending malformed, oversized, or deliberately slow request payloads.
RemediationAI
Upgrade OpenClaw to version 2026.3.2 or later which contains the security fix documented at https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg. If immediate patching is not possible, implement rate limiting and request size restrictions at the reverse proxy or load balancer level to mitigate resource exhaustion attacks. Consider restricting webhook endpoint access to trusted IP ranges or implementing API gateway protection. Monitor webhook endpoints for unusual request patterns or resource consumption spikes that may indicate exploitation attempts.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x4vp-4235-65hg