CVE-2026-35665: OpenClaw pre-auth resource

Q: Is CVE-2026-35665 actively exploited?

No confirmed active exploitation of CVE-2026-35665 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-35665?

1. Patch: Upgrade OpenClaw to version 2026.3.24 or later — the vendor advisory (GHSA-w6m8-cqvj-pg5v) documents the fix. 2. Reverse proxy hardening (workaround if patching is delayed): Apply `client_max_body_size` (nginx) or equivalent to restrict body size to the minimum legitimately expected by Feishu payloads (typically <64KB); set aggressive read timeouts (e.g., 5s) on the webhook endpoint at the proxy layer. 3. Connection-rate limiting: Use `limit_conn` (nginx) or WAF rules to cap concurrent connections per source IP to the webhook path. 4. Network-layer control: If Feishu publishes its outbound IP ranges, allowlist only those ranges at the firewall for the webhook endpoint. 5. Detection: Monitor for slow-loris-pattern connections (high concurrent open connections, low bytes/sec) on the Feishu webhook path; alert on webhook delivery failures or processing latency spikes.

Q: What systems are affected by CVE-2026-35665?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook integrations, event-driven agent pipelines.

Q: What is the CVSS score for CVE-2026-35665?

CVE-2026-35665 has a CVSS v3.1 base score of 5.3 (MEDIUM).

CISO Take

OpenClaw's Feishu webhook handler buffers up to 1MB of request body and waits up to 30 seconds before verifying the sender's signature, meaning any unauthenticated internet actor can monopolize server connections with deliberately slow POST requests and prevent legitimate webhook events from being processed. This is an incomplete remediation of CVE-2026-32011, indicating the root design flaw — late signature verification — was not fully addressed in the prior patch cycle. Although the impact is limited to availability (CVSS 5.3, A:L) and the package has only 4 downstream dependents with no active exploitation evidence in CISA KEV, the zero-prerequisite attack surface (no auth, no complexity, network-reachable) makes targeted disruption of AI agent webhook pipelines trivial to execute. Upgrade to OpenClaw ≥ 2026.3.24 immediately; if upgrading is not feasible, enforce connection-level rate limiting and strict payload-size caps at the reverse proxy before the webhook endpoint, and consider IP allowlisting for Feishu source ranges.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium risk overall, but operationally significant for any deployment where OpenClaw agent workflows depend on timely Feishu webhook delivery. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero-barrier exploitation from any internet host. Impact ceiling is low (A:L, no C or I impact), and the absence of a public exploit, Nuclei template, or KEV listing reduces immediate threat probability. The incomplete-fix history (this is the second attempt at patching the same class of flaw) raises concern about thoroughness of the vendor's remediation process. Downstream blast radius is narrow with only 4 dependents tracked.

How does the attack unfold?

Reconnaissance

Attacker identifies a publicly reachable OpenClaw instance with Feishu webhook endpoint exposed, via service fingerprinting, shodan-style scanning, or leaked configuration.

AML.T0006

Exploitation

Attacker opens many concurrent HTTP POST connections to the Feishu webhook path and deliberately trickles bytes at a slow rate, exploiting the 30-second read timeout and 1MB body buffer that are applied before signature verification occurs.

AML.T0049

Resource Exhaustion

Server connection pool and worker threads are saturated by the slow concurrent connections; the server cannot accept or process new requests from legitimate sources.

AML.T0034

Impact — Agent Silencing

Legitimate Feishu webhook events from the messaging platform are dropped or queued indefinitely, effectively silencing the AI agent's Feishu-driven input channel and disrupting all agent workflows that depend on it.

AML.T0029

Reconnaissance

Attacker identifies a publicly reachable OpenClaw instance with Feishu webhook endpoint exposed, via service fingerprinting, shodan-style scanning, or leaked configuration.

AML.T0006

Exploitation

Attacker opens many concurrent HTTP POST connections to the Feishu webhook path and deliberately trickles bytes at a slow rate, exploiting the 30-second read timeout and 1MB body buffer that are applied before signature verification occurs.

AML.T0049

Resource Exhaustion

Server connection pool and worker threads are saturated by the slow concurrent connections; the server cannot accept or process new requests from legitimate sources.

AML.T0034

Impact — Agent Silencing

Legitimate Feishu webhook events from the messaging platform are dropped or queued indefinitely, effectively silencing the AI agent's Feishu-driven input channel and disrupting all agent workflows that depend on it.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A Low

What should I do?

5 steps

Patch: Upgrade OpenClaw to version 2026.3.24 or later — the vendor advisory (GHSA-w6m8-cqvj-pg5v) documents the fix.
Reverse proxy hardening (workaround if patching is delayed): Apply client_max_body_size (nginx) or equivalent to restrict body size to the minimum legitimately expected by Feishu payloads (typically <64KB); set aggressive read timeouts (e.g., 5s) on the webhook endpoint at the proxy layer.
Connection-rate limiting: Use limit_conn (nginx) or WAF rules to cap concurrent connections per source IP to the webhook path.
Network-layer control: If Feishu publishes its outbound IP ranges, allowlist only those ranges at the firewall for the webhook endpoint.
Detection: Monitor for slow-loris-pattern connections (high concurrent open connections, low bytes/sec) on the Feishu webhook path; alert on webhook delivery failures or processing latency spikes.

How is it classified?

DoS Agent AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.2 - AI risk assessment

NIST AI RMF

MANAGE 2.4 - Residual risks and incidents

OWASP LLM Top 10

LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-35665?

OpenClaw's Feishu webhook handler buffers up to 1MB of request body and waits up to 30 seconds before verifying the sender's signature, meaning any unauthenticated internet actor can monopolize server connections with deliberately slow POST requests and prevent legitimate webhook events from being processed. This is an incomplete remediation of CVE-2026-32011, indicating the root design flaw — late signature verification — was not fully addressed in the prior patch cycle. Although the impact is limited to availability (CVSS 5.3, A:L) and the package has only 4 downstream dependents with no active exploitation evidence in CISA KEV, the zero-prerequisite attack surface (no auth, no complexity, network-reachable) makes targeted disruption of AI agent webhook pipelines trivial to execute. Upgrade to OpenClaw ≥ 2026.3.24 immediately; if upgrading is not feasible, enforce connection-level rate limiting and strict payload-size caps at the reverse proxy before the webhook endpoint, and consider IP allowlisting for Feishu source ranges.

Is CVE-2026-35665 actively exploited?

No confirmed active exploitation of CVE-2026-35665 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35665?

1. Patch: Upgrade OpenClaw to version 2026.3.24 or later — the vendor advisory (GHSA-w6m8-cqvj-pg5v) documents the fix. 2. Reverse proxy hardening (workaround if patching is delayed): Apply `client_max_body_size` (nginx) or equivalent to restrict body size to the minimum legitimately expected by Feishu payloads (typically <64KB); set aggressive read timeouts (e.g., 5s) on the webhook endpoint at the proxy layer. 3. Connection-rate limiting: Use `limit_conn` (nginx) or WAF rules to cap concurrent connections per source IP to the webhook path. 4. Network-layer control: If Feishu publishes its outbound IP ranges, allowlist only those ranges at the firewall for the webhook endpoint. 5. Detection: Monitor for slow-loris-pattern connections (high concurrent open connections, low bytes/sec) on the Feishu webhook path; alert on webhook delivery failures or processing latency spikes.

What systems are affected by CVE-2026-35665?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook integrations, event-driven agent pipelines.

What is the CVSS score for CVE-2026-35665?

CVE-2026-35665 has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworkswebhook integrationsevent-driven agent pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM10

What are the technical details?

Original Advisory

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.

Exploitation Scenario

An attacker discovers an internet-exposed OpenClaw instance with Feishu webhook integration enabled — trivially discoverable via service fingerprinting or public configuration leaks. The attacker opens dozens of concurrent HTTP POST connections to the `/webhook/feishu` endpoint and deliberately sends bytes in tiny increments (e.g., 1 byte every 2 seconds), keeping each connection alive for the full 30-second read timeout while the server buffers up to 1MB per connection awaiting the complete body needed for signature verification. With enough concurrent slow connections, the server's connection pool or thread pool is exhausted. Legitimate Feishu webhook events from the actual messaging platform are rejected or queued indefinitely, silencing the AI agent's Feishu input channel. The attacker sustains this with minimal bandwidth — the attack is asymmetric by design (CWE-405), requiring far less attacker resources than server resources consumed.

Weaknesses (CWE)

CWE-405 Asymmetric Resource Consumption (Amplification)

CWE-405 — Asymmetric Resource Consumption (Amplification): The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

[Architecture and Design] An application must make resources available to a client commensurate with the client's access level.
[Architecture and Design] An application must, at all times, keep track of allocated resources and meter their usage appropriately.

Source: MITRE CWE corpus.