High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 9, 2026
OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering
CVE-2026-28478
Description
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.13 | 2026.2.13 |
clawdbotnpm | <= 2026.1.24-3 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930mitrepatch
- github.com/advisories/GHSA-q447-rj3r-2cghghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cghghsavendor-advisoryWEB
- www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-bufferingmitrethird-party-advisory
News mentions
0No linked articles in our index yet.