What is CVE-2026-41405?

CVE-2026-41405 is a high-severity vulnerability in Openclaw, classified under CWE-408. CVSS score: 7.5/10. Published 2026-04-28.

How severe is CVE-2026-41405?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Openclaw

CVE-2026-41405

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust ser…

EPSS: 0.002 (45.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Openclaw — versions 0, 2026.3.31

Weakness classification (CWE)

CWE-408

References

GitHub Security Advisory (GHSA-p464-m8x6-vhv8) (vendor-advisory, Vendor Advisory)
Patch Commit (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-41405?: CVE-2026-41405 is a high-severity vulnerability in Openclaw, classified under CWE-408. CVSS score: 7.5/10. Published 2026-04-28.
How severe is CVE-2026-41405?: High severity. CVSS v3 base score is 7.5 out of 10.