Protect.Computer
NEWS

OpenClaw patches unauthenticated Telegram webhook resource-exhaustion flaw (CVE-2026-32980)

· 1 min read · Network safety Device safety
OpenClaw patches unauthenticated Telegram webhook resource-exhaustion flaw (CVE-2026-32980)

Photo by Ales Nesetril on Unsplash

What happened

OpenClaw disclosed and patched CVE-2026-32980 in openclaw@2026.3.13.

According to the vendor advisory, versions up to 2026.3.12 processed Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header. That sequence let unauthenticated requests consume memory, socket time, and JSON parsing work before rejection.

Why this matters

If your OpenClaw instance exposes a Telegram webhook endpoint, this bug can be used as a low-friction denial-of-service path. Attackers do not need valid webhook secrets to force pre-auth workload, which can degrade bot availability or increase infrastructure load.

For teams running automation on small VPS or home-lab hardware, this can cause noticeable instability under request floods.

How to check if you’re affected

You are likely affected if you run OpenClaw with Telegram webhooks on version 2026.3.12 or older.

  1. Check your OpenClaw version

    • Run your normal version command and verify whether you are on 2026.3.13 or later.

  2. Confirm Telegram webhook exposure

    • Verify whether Telegram webhook mode is enabled and reachable from the internet.

  3. Review logs around webhook endpoints

    • Look for spikes of unauthorized or malformed POST traffic to the Telegram webhook path.

  4. Validate patched behavior

    • After upgrading, confirm unauthorized webhook requests are rejected quickly (401) before heavy body processing.

  5. If you cannot upgrade immediately

    • Restrict webhook ingress by IP/network controls and add rate limiting at the edge until patching is complete.

Immediate defensive actions

  • Upgrade to openclaw@2026.3.13 or newer.
  • Put rate limiting/WAF protections in front of webhook endpoints.
  • Monitor service memory and request error patterns for attempted abuse.
  • Review other webhook handlers to ensure authentication happens before expensive parsing.

Sources

Bottom line

If you use OpenClaw with Telegram webhooks, treat this as a priority availability hardening update: upgrade to 2026.3.13+ and ensure pre-auth request handling is tightly constrained.

Related reading

News
CISA adds CVE-2025-53521 (F5 BIG-IP APM) to KEV after active exploitation

CISA added CVE-2025-53521 affecting F5 BIG-IP APM to the KEV catalog, signaling active exploitation and urgent patch/mitigation action.

News
ConnectWise patches ScreenConnect flaw that could enable unauthorized access

ConnectWise patched CVE-2026-3564 in ScreenConnect, a critical signature verification weakness that could lead to unauthorized actions and privilege escalation.

News
CISA flags SolarWinds, Ivanti, and Workspace ONE flaws as actively exploited

CISA added three actively exploited vulnerabilities—CVE-2025-26399, CVE-2026-1603, and CVE-2021-22054—to the KEV catalog, with near-term federal remediation deadlines.

News
Cisco IMC auth bypass (CVE-2026-20093) can let attackers take admin control

Cisco says a critical IMC flaw can let unauthenticated attackers bypass auth, reset passwords, and log in as admin on vulnerable UCS servers.