CVE-2026-28461
Unbounded Memory Growth in OpenClaw Zalo Webhook Causes DoS
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28461 is a vulnerability in OpenClaw versions prior to 2026.3.1 that affects the Zalo webhook endpoint. It allows unauthenticated attackers to cause unbounded memory growth by sending repeated requests with varying query string keys. This causes the system to accumulate keys in memory without limits, leading to uncontrolled resource consumption.
The vulnerability results from the system allocating memory for each new query string key without any bounds or pruning, which can cause memory pressure, process instability, or out-of-memory conditions.
The issue was fixed in version 2026.3.1 by normalizing webhook keys to exclude query strings and implementing limits and pruning on the tracking state to prevent unbounded memory growth.
How can this vulnerability impact me? :
This vulnerability can impact you by causing excessive memory consumption on the affected system, which can lead to memory pressure and instability of the process handling the webhook.
In severe cases, it can cause out-of-memory (OOM) conditions that degrade or disrupt service availability, potentially causing downtime or degraded performance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or excessive memory usage in the OpenClaw process, especially related to the Zalo webhook endpoint.'}, {'type': 'paragraph', 'content': 'One approach is to analyze incoming requests to the webhook endpoint for a high volume of requests with varying query string parameters, which may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Commands to help detect this include:'}, {'type': 'list_item', 'content': "Use system monitoring tools like 'top' or 'htop' to observe memory usage of the OpenClaw process."}, {'type': 'list_item', 'content': "Use 'netstat' or 'ss' to monitor active connections to the webhook endpoint."}, {'type': 'list_item', 'content': "Use web server or application logs to identify repeated requests to the webhook endpoint with varying query strings, for example, by running: \n`grep 'webhook' /var/log/openclaw/access.log | awk -F'?' '{print $2}' | sort | uniq -c | sort -nr`"}, {'type': 'list_item', 'content': "Use network traffic analysis tools like 'tcpdump' or 'Wireshark' to capture and analyze requests to the webhook endpoint."}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.1 or later, where the vulnerability is fixed by normalizing webhook keys and implementing bounds and pruning on the tracking state to prevent unbounded memory growth.
Until the upgrade can be applied, consider implementing rate limiting or request throttling on the Zalo webhook endpoint to reduce the impact of repeated requests with varying query strings.
Additionally, monitor system memory usage and restart the OpenClaw service if memory pressure or instability is detected to maintain service availability.