CVE-2026-28478

HIGH EPSS 34.9%
Published Mar 5, 20263mo ago · Modified Jun 17, 20261w ago
8.7 CVSS 4.0
High
Find Similar
Published Mar 5, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
34.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-770

Affected Products 1

VendorProductVersionRange
openclawopenclaw* <2026.2.13

References 3

  • github.com https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930
    Patch
  • github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh
    Vendor Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering
    Third Party Advisory

Remediation

  • github.com https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930
    Patch