HIGHCVE-2026-28478Published 2026-03-05Modified 2026-03-09CNA VulnCheck

CVE-2026-28478: OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.2.13
Affected Products: 1

Fix available

2026.2.13

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.2.13 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-q447-rj3r-2cgh)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering

Metrics

Fix available