Skip to content
CVSS 7.5 · HIGH

CVE-2026-41405

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks.

Ver en NVD

Análisis

OpenClaw is a niche open-source project with limited adoption in professional software development environments. While the vulnerability allows unauthenticated resource exhaustion by processing MS Teams webhooks before authentication, it does not represent a systemic risk to the community at large.

Severidad

Puntaje: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: NONE
A: HIGH
Tipo de falla (CWE): CWE-408

EPSS

Probabilidad de explotación (próx. 30 días): 0.0016 (0.2%)
Percentil: 36.3%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resources by bypassing authentication checks.

Publicada: 28/4/2026, 19:37:44
Última modificación: 30/4/2026, 19:37:34

Referencias

InicioEventosBlogRecursosEquipo