CVE-2026-32980

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.13

Description The software reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header. This allows unauthenticated attackers to exhaust server resources by sending POST requests to the webhook endpoint. Attackers can force memory consumption, socket time, and JSON parsing work before authentication validation occurs. The affected API endpoint is the Telegram webhook endpoint.

Recommendations Update to version 2026.3.13 or later.