CVE-2026-35665

Name of the Vulnerable Software and Affected Versions: OpenClaw versions 2026.2.22 and earlier

Description: OpenClaw versions prior to 2026.3.24 contain an incomplete fix for CVE-2026-32011, leaving the Feishu webhook handler vulnerable to a Denial of Service (DoS) attack. The handler accepts request bodies with permissive limits of 1MB and a 30-second timeout before signature verification. An unauthenticated attacker can exploit this by sending concurrent slow HTTP POST requests to the ''/feishu/events'' API endpoint, exhausting server connection resources and blocking legitimate webhook deliveries. The vulnerability exists because the installRequestBodyLimitGuard function is applied with large limits (1MB body, 30-second timeout) before the webhook signature is verified in extensions/feishu/src/monitor.ts. This allows an attacker to hold connections open for an extended period, consuming server resources. The attack can involve sending slow HTTP POST requests to the ''/feishu/events'' endpoint, with the body trickling at a slow rate (e.g., 1 byte/second) for the full timeout duration. Multiple concurrent connections can amplify the impact, leading to connection exhaustion and DoS. The vulnerable code is located at lines 276-280 in extensions/feishu/src/monitor.ts.

Recommendations: Update to OpenClaw version 2026.3.24 or later.