Executive Summary

CVE-2026-28461 is a vulnerability in OpenClaw versions prior to 2026.3.1 that affects the Zalo webhook endpoint. It allows unauthenticated attackers to cause unbounded memory growth by sending repeated requests with varying query string keys. This causes the system to accumulate keys in memory without limits, leading to uncontrolled resource consumption.

The vulnerability results from the system allocating memory for each new query string key without any bounds or pruning, which can cause memory pressure, process instability, or out-of-memory conditions.

The issue was fixed in version 2026.3.1 by normalizing webhook keys to exclude query strings and implementing limits and pruning on the tracking state to prevent unbounded memory growth.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing excessive memory consumption on the affected system, which can lead to memory pressure and instability of the process handling the webhook.

In severe cases, it can cause out-of-memory (OOM) conditions that degrade or disrupt service availability, potentially causing downtime or degraded performance.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or excessive memory usage in the OpenClaw process, especially related to the Zalo webhook endpoint.'}, {'type': 'paragraph', 'content': 'One approach is to analyze incoming requests to the webhook endpoint for a high volume of requests with varying query string parameters, which may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Commands to help detect this include:'}, {'type': 'list_item', 'content': "Use system monitoring tools like 'top' or 'htop' to observe memory usage of the OpenClaw process."}, {'type': 'list_item', 'content': "Use 'netstat' or 'ss' to monitor active connections to the webhook endpoint."}, {'type': 'list_item', 'content': "Use web server or application logs to identify repeated requests to the webhook endpoint with varying query strings, for example, by running: \n`grep 'webhook' /var/log/openclaw/access.log | awk -F'?' '{print $2}' | sort | uniq -c | sort -nr`"}, {'type': 'list_item', 'content': "Use network traffic analysis tools like 'tcpdump' or 'Wireshark' to capture and analyze requests to the webhook endpoint."}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.1 or later, where the vulnerability is fixed by normalizing webhook keys and implementing bounds and pruning on the tracking state to prevent unbounded memory growth.

Until the upgrade can be applied, consider implementing rate limiting or request throttling on the Zalo webhook endpoint to reduce the impact of repeated requests with varying query strings.

Additionally, monitor system memory usage and restart the OpenClaw service if memory pressure or instability is detected to maintain service availability.

Useful 0 Not Useful 0