Is there a patch available for CVE-2026-35640?

Yes, a patch is available for CVE-2026-35640. Update the affected software to the latest version immediately.

OpenClaw CVE-2026-35640

Q: What is the CVSS score of CVE-2026-35640?

CVE-2026-35640 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-21136 MEDIUM

Incorrect Behavior Order (CWE-696)

2026-04-09 VulnCheck

GHSA-8f9r-gr6r-x63q

Denial Of Service

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 21:45 euvd

EUVD-2026-21136

Analysis Generated

Apr 09, 2026 - 21:45 vuln.today

Patch released

Apr 09, 2026 - 21:45 nvd

Patch available

CVE Published

Apr 09, 2026 - 21:27 nvd

MEDIUM 6.9

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3 npm packages depend on openclaw (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.28.

DescriptionNVD

OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.

AnalysisAI

OpenClaw before version 2026.3.25 processes JSON webhook request bodies before validating cryptographic signatures, allowing unauthenticated remote attackers to trigger denial of service by submitting malicious webhook payloads that force computationally expensive JSON parsing operations. The vulnerability exploits a logic-ordering defect where signature validation occurs after resource-intensive parsing, enabling attackers to exhaust server resources without valid credentials. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35640 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-35640

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-35640

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code