CVE-2026-28461 in OpenClaw
Summary
by MITRE • 03/19/2026
OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-28461 affects OpenClaw versions prior to 2026.3.1 and represents a critical memory management flaw within the Zalo webhook endpoint implementation. This issue stems from inadequate input validation and memory allocation handling when processing incoming HTTP requests through the webhook interface. The vulnerability manifests when the system fails to properly constrain memory usage during query parameter processing, allowing attackers to accumulate memory resources indefinitely through crafted requests.
The technical exploitation of this vulnerability occurs through the manipulation of query strings in HTTP requests sent to the Zalo webhook endpoint. Attackers can repeatedly send requests with varying query parameters to trigger a memory accumulation pattern that grows without bounds. This unbounded memory growth directly violates the principle of resource limitation and proper input sanitization that should be enforced at all levels of network service implementation. The flaw operates at the application layer and specifically targets the memory management subsystem responsible for handling webhook request processing.
From an operational impact perspective, this vulnerability creates significant risks to service availability and system stability. The memory accumulation process leads to progressive memory pressure that eventually results in process instability or complete out-of-memory conditions. These conditions cause the affected service to become unresponsive or crash entirely, resulting in denial of service for legitimate users. The vulnerability is particularly dangerous because it requires minimal authentication to exploit, making it accessible to any remote attacker with network access to the vulnerable system.
The attack pattern follows established methodologies documented in the attack taxonomy, where the exploitation technique aligns with resource exhaustion attacks that fall under the broader category of denial of service vulnerabilities. This vulnerability demonstrates poor adherence to security best practices in memory management and input validation, creating an environment where attackers can systematically degrade service availability. The flaw represents a failure in defensive programming principles and violates fundamental security requirements for robust application design.
Mitigation strategies should focus on implementing strict query parameter validation and memory usage limits for the webhook endpoint. The most effective approach involves adding input sanitization measures that constrain the maximum number of query parameters processed and establish memory allocation caps for each request handling cycle. System administrators should immediately upgrade to OpenClaw version 2026.3.1 or later, which includes proper memory management controls and input validation mechanisms. Additionally, implementing rate limiting and request monitoring can help detect and prevent abuse of the vulnerable endpoint while maintaining service availability for legitimate users.
This vulnerability demonstrates the importance of proper resource management in web applications and aligns with common weakness enumerations found in CWE catalog entries related to resource management and input validation. The issue represents a failure to implement proper bounds checking and memory allocation controls that are essential for maintaining system stability under adversarial conditions. Organizations should conduct comprehensive security assessments of their webhook implementations to identify similar vulnerabilities and ensure proper input sanitization across all network-facing services.