Platform
nodejs
Component
openclaw
Fixed in
2026.3.1
2026.3.1
CVE-2026-28461 describes a memory exhaustion vulnerability in openclaw. An attacker can trigger unbounded in-memory key growth by manipulating query strings in unauthenticated requests to a reachable Zalo webhook endpoint. This can lead to process instability or Out-of-Memory (OOM) conditions, degrading the availability of the service. Versions of openclaw prior to 2026.3.1 are affected, and a patch has been released.
The primary impact of CVE-2026-28461 is a denial-of-service (DoS) condition. By repeatedly sending crafted webhook requests with varying query strings, an attacker can exhaust the available memory resources of the openclaw process. This memory exhaustion can manifest as process instability, slow response times, or ultimately, a complete crash of the service. The vulnerability's unauthenticated nature means that any attacker with network access to the Zalo webhook endpoint can potentially trigger this issue. While the vulnerability doesn't directly expose sensitive data, the resulting service disruption can have significant operational consequences.
CVE-2026-28461 was publicly disclosed on 2026-03-02. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept (PoC) exploits. The vulnerability has not been added to the CISA KEV catalog. The EPSS score is likely low given the lack of public exploits and active campaigns.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-28461 is to immediately upgrade openclaw to version 2026.3.1 or later. This version includes a fix that normalizes keys to matched webhook path semantics (excluding query strings) and bounds/prunes the tracking state, preventing unbounded memory growth. If upgrading is not immediately feasible, consider implementing rate limiting on the Zalo webhook endpoint to restrict the number of requests from a single source within a given timeframe. This can help to mitigate the impact of an attack by slowing down the rate at which memory is consumed. After upgrading, confirm the fix by sending multiple webhook requests with varying query strings and monitoring memory usage to ensure it remains within acceptable limits.
Update OpenClaw to version 2026.3.1 or higher. This version fixes the unbounded memory growth vulnerability in the Zalo webhook by preventing key accumulation in memory through query string variation. The update mitigates the risk of memory pressure, process instability, or out-of-memory conditions that degrade service availability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28461 is a HIGH severity vulnerability affecting openclaw versions <= 2026.2.26. It allows unauthenticated attackers to trigger unbounded memory growth via webhook requests, potentially leading to service disruption.
You are affected if you are using openclaw version 2026.2.26 or earlier. Check your version and upgrade immediately.
Upgrade openclaw to version 2026.3.1 or later. This resolves the unbounded memory growth issue.
There is currently no evidence of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the openclaw project's release notes and security advisories for the latest information: [https://github.com/your-openclaw-repo/releases](https://github.com/your-openclaw-repo/releases)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.