HIGHCVE-2026-28461Published 2026-03-19Modified 2026-03-19CNA VulnCheck

CVE-2026-28461: OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn

OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.3.1
Affected Products: 1

Fix available

2026.3.1

Affected packages

OpenClaw / OpenClaw
< 2026.3.1 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-wr6m-jg37-68xh)
VulnCheck Advisory: OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn

Metrics

Fix available