CVE-2026-41405

HIGH CVSS 7.5 View on NVD ↗

Description

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/openclaw/openclaw/commit/3834d47099dd13c8244ed6de8b9ea9855c553623
https://github.com/openclaw/openclaw/security/advisories/GHSA-p464-m8x6-vhv8
https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-ms-teams-webhook-body-parsing

Published: Apr 28, 2026 19:37 UTC Modified: Apr 28, 2026 20:10 UTC