High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 9, 2026
OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering
CVE-2026-28478
Description
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.13 | 2026.2.13 |
clawdbotnpm | <= 2026.1.24-3 | — |
Affected products
3- ghsa-coords2 versions
<= 2026.1.24-3+ 1 more
- (no CPE)range: <= 2026.1.24-3
- (no CPE)range: < 2026.2.13
Patches
Vulnerability mechanics
References
4- github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930mitrepatch
- github.com/advisories/GHSA-q447-rj3r-2cghghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cghghsavendor-advisoryWEB
- www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-bufferingmitrethird-party-advisory
News mentions
0No linked articles in our index yet.