CVE-2026-35665 Overview
CVE-2026-35665 is a Denial of Service vulnerability in OpenClaw before version 2026.3.24 that stems from an incomplete fix for CVE-2026-32011. The vulnerability exists in the Feishu webhook handler, which accepts request bodies with permissive limits of 1MB and a 30-second timeout before performing signature verification. This design flaw allows an unauthenticated attacker to exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, effectively blocking legitimate webhook deliveries.
Critical Impact
Unauthenticated attackers can perform resource exhaustion attacks against OpenClaw servers, disrupting webhook functionality and potentially causing service outages for legitimate users.
Affected Products
- OpenClaw versions prior to 2026.3.24
- OpenClaw for Node.js environments
- Systems using Feishu webhook integration
Discovery Timeline
- 2026-04-10 - CVE-2026-35665 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35665
Vulnerability Analysis
This vulnerability is classified as CWE-405 (Asymmetric Resource Consumption), a category of denial of service vulnerabilities where an attacker can consume disproportionate server resources with minimal effort. The root issue lies in the architectural decision to process request bodies before authenticating the request source.
The Feishu webhook handler in OpenClaw is configured to accept large request bodies (up to 1MB) and allows connections to remain open for extended periods (30 seconds) without first validating the request signature. This creates an asymmetric resource consumption scenario where attackers can tie up server resources with slow, resource-intensive connections while expending minimal resources themselves.
This vulnerability represents an incomplete remediation of the previously disclosed CVE-2026-32011, indicating that the original patch did not fully address all attack vectors related to pre-authentication resource consumption.
Root Cause
The fundamental issue is the ordering of operations in the webhook request handling pipeline. The handler processes and buffers the entire request body before performing signature verification, rather than validating the request authenticity early in the processing chain. Combined with permissive resource limits (1MB body size, 30-second timeout), this allows unauthenticated requests to consume significant server resources.
Attack Vector
The attack exploits the network-accessible Feishu webhook endpoint without requiring any authentication or special privileges. An attacker can:
- Identify the Feishu webhook endpoint on a vulnerable OpenClaw installation
- Initiate multiple concurrent HTTP POST requests to the endpoint
- Slowly drip-feed data to each connection, keeping them alive for the maximum timeout period
- Exhaust the server's available connection pool, preventing legitimate webhook requests from being processed
This is a "Slowloris"-style attack that leverages the permissive timeout and body size limits to maximize resource consumption with minimal attacker bandwidth.
Detection Methods for CVE-2026-35665
Indicators of Compromise
- Unusual number of concurrent, long-lived HTTP connections to the Feishu webhook endpoint
- HTTP POST requests to webhook endpoints with abnormally slow data transfer rates
- Server resource exhaustion symptoms including increased connection queue depth and timeout errors
- Legitimate Feishu webhook deliveries failing or timing out
Detection Strategies
- Monitor connection duration and data transfer rates to webhook endpoints for anomalies
- Set up alerting for connection pool exhaustion or high concurrent connection counts
- Implement rate limiting and connection monitoring at the reverse proxy or load balancer level
- Review web server access logs for patterns of slow POST requests from single or multiple sources
Monitoring Recommendations
- Deploy application performance monitoring (APM) to track webhook endpoint response times and connection states
- Configure infrastructure monitoring to alert on connection pool utilization thresholds
- Establish baseline metrics for normal webhook traffic patterns to identify deviations
- Enable detailed logging on the Feishu webhook handler to capture connection metadata
How to Mitigate CVE-2026-35665
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.24 or later immediately
- Implement rate limiting on the Feishu webhook endpoint at the reverse proxy level
- Configure aggressive connection timeouts for unauthenticated requests
- Consider temporarily disabling the Feishu webhook if not actively in use
Patch Information
OpenClaw version 2026.3.24 contains the fix for this vulnerability. The patch addresses the incomplete remediation from CVE-2026-32011 by implementing proper request validation ordering and reducing the permissive resource limits. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy with strict request body size limits and shorter timeouts in front of OpenClaw
- Implement IP-based rate limiting to restrict concurrent connections from single sources
- Use a Web Application Firewall (WAF) to detect and block Slowloris-style attack patterns
- Restrict network access to the Feishu webhook endpoint to known Feishu IP ranges if possible
# Example nginx configuration to mitigate slow POST attacks
# Add to server or location block for webhook endpoint
client_body_timeout 5s;
client_header_timeout 5s;
client_max_body_size 256k;
limit_conn_zone $binary_remote_addr zone=webhook_conn:10m;
limit_conn webhook_conn 10;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
