Description
OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.
Published: 2026-03-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth flaw in the Zalo webhook endpoint. The server stores every unique query string key in memory without restraint, causing memory pressure, process instability, and potentially out‑of‑memory conditions that degrade service availability. Attackers can trigger this effect through unauthenticated HTTP requests by repeatedly sending requests with varying query parameters, forcing the application to grow its in‑memory key store indefinitely.

Affected Systems

The vulnerability affects all deployments of the OpenClaw application running versions earlier than 2026.3.1, regardless of operating environment, as the issue resides in the core Node.js implementation of the Zalo webhook handler.

Risk and Exploitability

The flaw has a CVSS score of 8.7, indicating high severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. Because the attack vector is unauthenticated and requires only repeated external requests, the potential for exploitation is significant, especially against publicly exposed webhook endpoints.

Generated by OpenCVE AI on March 19, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.3.1 or later.
  • If an upgrade is infeasible, implement rate limiting or a web‑application firewall on the Zalo webhook endpoint to control request volume.
  • Monitor system memory usage and application logs for abnormal growth or crashes, and respond with service restarts or resource isolation as needed.

Generated by OpenCVE AI on March 19, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.
Title OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-19T15:39:51.770Z

Reserved: 2026-02-27T19:18:14.008Z

Link: CVE-2026-28461

cve-icon Vulnrichment

Updated: 2026-03-19T15:39:44.044Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T02:16:02.810

Modified: 2026-03-19T19:18:18.730

Link: CVE-2026-28461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:32Z

Weaknesses