CVE-2026-41343

MEDIUM CVSS 5.3 View on NVD ↗

Description

OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad
https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency

Published: Apr 23, 2026 22:16 UTC Modified: Apr 24, 2026 14:40 UTC