Cve-2026-41405 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-41405/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 12:00:00 +0000OpenClaw MS Teams Webhook Resource Exhaustion Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.OpenClaw before version 2026.3.31 is vulnerable to a resource exhaustion attack due to improper handling of MS Teams webhook requests. The application parses the request body before validating the JWT, which allows unauthenticated attackers to send malicious payloads. By sending specially crafted Teams webhook payloads, attackers can bypass authentication checks and exhaust server resources. This vulnerability, identified as CVE-2026-41405, can lead to denial of service and impacts systems where OpenClaw is used to process MS Teams webhooks. Successful exploitation can severely degrade or halt OpenClaw’s functionality.

Attack Chain

  1. An unauthenticated attacker identifies an OpenClaw instance processing MS Teams webhooks.
  2. The attacker crafts a malicious MS Teams webhook payload designed to consume excessive resources during parsing.
  3. The attacker sends the malicious webhook payload to the OpenClaw endpoint.
  4. OpenClaw receives the webhook request and begins parsing the request body before JWT validation.
  5. The malicious payload triggers excessive resource consumption (CPU, memory) during the parsing stage.
  6. The parsing process exhausts available server resources.
  7. OpenClaw becomes unresponsive or crashes due to resource exhaustion.
  8. Legitimate MS Teams webhook requests are no longer processed, leading to a denial of service.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition, rendering OpenClaw unresponsive. This can disrupt any services relying on OpenClaw for MS Teams webhook processing. While the precise number of affected organizations is unknown, any organization using a vulnerable version of OpenClaw is at risk. The impact includes potential loss of data, interrupted workflows, and reputational damage.

Recommendation

  • Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41405.
  • Implement rate limiting on the MS Teams webhook endpoint to mitigate resource exhaustion, even after patching.
  • Monitor web server logs (category webserver, product linux) for unusual traffic patterns and large request sizes to the MS Teams webhook endpoint.
  • Deploy the Sigma rule Detect High Number of Requests to Teams Webhook to identify potential exploitation attempts.
]]>mediumadvisoryresource-exhaustionwebhookcve-2026-41405