Is Openclaw affected by CVE-2026-28461?

OpenClaw deployments are vulnerable to denial-of-service attacks that can crash services by exhausting system memory through the Zalo webhook endpoint.

CVE-2026-28461

EUVD-2026-13014 HIGH

2026-03-19 VulnCheck

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Apr 02, 2026 - 14:30 nvd

Patch available

EUVD ID Assigned

Mar 19, 2026 - 01:30 euvd

EUVD-2026-13014

Analysis Generated

Mar 19, 2026 - 01:30 vuln.today

CVE Published

Mar 19, 2026 - 01:00 nvd

HIGH 7.5

Description

OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.

Analysis

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that allows unauthenticated remote attackers to exhaust system memory through query string manipulation. OpenClaw versions prior to 2026.3.1 are affected. …

Remediation

Within 24 hours: Inventory all OpenClaw instances and confirm version numbers; disable or restrict access to the Zalo webhook endpoint if not actively used. Within 7 days: Implement Web Application Firewall (WAF) rules to rate-limit and validate webhook requests; enable query parameter filtering. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-28461 vulnerability details – vuln.today

Back

CVE-2026-28461

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28461

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code