EUVD-2026-14565CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Tags
Description
OpenClaw before 2026.3.1 contains an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger memory exhaustion by varying query strings. Attackers can send repeated requests with different query parameters to the same webhook route, causing unbounded in-memory key accumulation that leads to memory pressure, process instability, or out-of-memory conditions.
Analysis
OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all OpenClaw instances in production and determine affected versions; assess whether Zalo webhook functionality is actively used. Within 7 days: Implement network-level rate limiting on the webhook endpoint, enable WAF rules to block suspicious query string variations, and isolate webhook processing to a dedicated resource pool with memory limits. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today