Description
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Unauthenticated Denial of Service
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions before 2026.2.13 allow an attacker to trigger a denial of service by sending large or slow JSON payloads to webhook endpoints, causing the application to buffer the entire request body without limits and exhaust memory. The flaw results in application slowdown or crash, impacting service availability.

Affected Systems

The vulnerability affects the OpenClaw web framework. All installations of OpenClaw on Node.js environments running any version earlier than 2026.2.13 are impacted. No specific OS or platform restrictions are listed, but the flaw exists in the generic OpenClaw webhook module.

Risk and Exploitability

The CVSS score of 8.7 denotes high severity, while an EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog, so no public exploits are known. Attackers can reach the affected endpoints over the network without authentication, so the attack vector is remote, uncontrolled. Usually, the attack requires sending an oversized request or performing a slow POST, which leads to excessive memory usage and potential service interruption.

Generated by OpenCVE AI on April 17, 2026 at 12:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.2.13 or later, which implements request size and time limits for webhook handlers
  • If an upgrade is not yet feasible, enable application‑level request limiting on webhook endpoints to reject payloads above a safe threshold
  • Employ network‑level defenses such as rate limiting or traffic shaping to throttle or block unusually large or slow data streams to the webhooks

Generated by OpenCVE AI on April 17, 2026 at 12:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q447-rj3r-2cgh OpenClaw affected by denial of service via unbounded webhook request body buffering
History

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
Title OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T18:12:08.104Z

Reserved: 2026-02-27T19:20:17.867Z

Link: CVE-2026-28478

cve-icon Vulnrichment

Updated: 2026-03-09T18:12:04.202Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:22.210

Modified: 2026-03-17T18:03:34.133

Link: CVE-2026-28478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses