Platform
nodejs
Component
openclaw
Fixed in
2026.3.13
2026.3.13
CVE-2026-32980 is a denial-of-service (DoS) vulnerability affecting OpenClaw. The vulnerability exists because the application reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header. This allows unauthenticated attackers to exhaust server resources by sending POST requests to the webhook endpoint. This issue affects OpenClaw versions prior to 2026.3.13, and is fixed in version 2026.3.13.
CVE-2026-32980 in openclaw allows unauthenticated attackers to force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request. This is because versions of openclaw less than or equal to 2026.3.12 read and buffer Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token. An attacker could exploit this to consume server resources, potentially causing a denial-of-service or, in more complex scenarios, to perform unauthorized actions if the webhook is configured to perform sensitive operations.
This vulnerability is particularly concerning for openclaw implementations acting as a standalone Telegram webhook. An attacker could send malicious webhook requests to exhaust server resources or, potentially, exploit the webhook's logic if it performs sensitive actions. The lack of initial authentication allows anyone to send requests, increasing the risk. The CVSS score of 7.5 indicates a high risk.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The solution is to upgrade to version 2026.3.13 or later of openclaw. This version corrects the vulnerability by validating the Telegram API secret token before processing the webhook request body. Immediate upgrading is strongly recommended to mitigate the risk. Additionally, ensure your Telegram API secret token is strong and unique, and stored securely. Monitor server logs for unusual activity related to webhook requests.
Actualice OpenClaw a la versión 2026.3.13 o superior. Esta versión corrige la vulnerabilidad de agotamiento de recursos al validar el encabezado x-telegram-bot-api-secret-token antes de procesar el cuerpo de la solicitud.
Vulnerability analysis and critical alerts directly to your inbox.
A Telegram webhook is a way for Telegram to send updates to your application when certain events occur, such as new messages or edits. Your application provides a URL (the webhook) to which Telegram sends these data.
Check the version of openclaw you are using. If it is less than or equal to 2026.3.12, you are affected. You can verify the version by running npm list openclaw in your terminal.
If you cannot upgrade immediately, consider implementing temporary mitigation measures, such as limiting the maximum webhook request body size and monitoring server logs for unusual activity.
Currently, there are no specific tools to detect this vulnerability. However, log monitoring and version verification of openclaw are effective methods.
A CVSS score of 7.5 indicates a high risk. It means the vulnerability is exploitable and could have a significant impact on the confidentiality, integrity, or availability of the system.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.