CVE-2026-32011
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
Description
## Impact OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS). ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected releases: `<= 2026.3.1` - Latest published vulnerable version at triage time: `2026.3.1` (npm) - Fixed release: `2026.3.2` (released) ## Fix Commit(s) - `d3e8b17aa6432536806b4853edc7939d891d0f25` ## Mitigation Upgrade to `2026.3.2` (or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage.
How to fix CVE-2026-32011
To remediate CVE-2026-32011, upgrade the affected package to a fixed version below.
- —upgrade to 2026.3.2 or later
Is CVE-2026-32011 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |