CVE-2026-28394 Overview
CVE-2026-28394 is a denial of service vulnerability affecting OpenClaw versions prior to 2026.2.15. The flaw resides in the web_fetch tool and allows remote attackers to crash the Gateway process through memory exhaustion. Exploitation occurs when the application parses oversized or deeply nested HTML responses without proper resource limits, enabling attackers to social-engineer users into fetching malicious URLs containing pathological HTML structures.
Critical Impact
Successful exploitation can exhaust server memory and cause complete service unavailability, disrupting all Gateway operations.
Affected Products
- OpenClaw versions prior to 2026.2.15
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28394 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28394
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The web_fetch tool in OpenClaw processes HTML responses without enforcing adequate constraints on input size or structural complexity. When a user is tricked into fetching a URL that returns specially crafted HTML content—either extremely large or containing deeply nested elements—the parsing operation consumes unbounded memory resources.
The attack requires user interaction, as an attacker must convince a victim to initiate a fetch request to a malicious URL. Once triggered, the HTML parser attempts to process the entire response body and build a DOM representation, which for pathological inputs can lead to exponential memory consumption and ultimately crash the Gateway process.
Root Cause
The root cause is the absence of resource limits during HTML response parsing in the web_fetch utility functions. Prior to the fix, the application would:
- Accept arbitrarily large HTTP response bodies
- Attempt to parse HTML content regardless of document size
- Process deeply nested DOM structures without depth limits
This lack of input validation allows attackers to craft responses that trigger worst-case memory allocation scenarios in the Readability parsing library.
Attack Vector
The attack leverages a network-based vector requiring user interaction. An attacker crafts a malicious web page with one or more of the following characteristics:
- HTML content exceeding reasonable size limits (multiple megabytes)
- Extremely deep nesting of HTML elements (thousands of levels)
- Combinations of large size and complex structure to maximize memory impact
The attacker then social-engineers a user into using the web_fetch tool against the malicious URL. When the tool fetches and attempts to parse the response, memory consumption spikes uncontrollably, exhausting available resources and crashing the Gateway service.
// Security patch introducing resource limits
// Source: https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147
export type ExtractMode = "markdown" | "text";
+const READABILITY_MAX_HTML_CHARS = 1_000_000;
+const READABILITY_MAX_ESTIMATED_NESTING_DEPTH = 3_000;
+
let readabilityDepsPromise:
| Promise<{
Readability: typeof import("@mozilla/readability").Readability;
The patch introduces explicit limits: READABILITY_MAX_HTML_CHARS caps HTML content at 1 million characters, while READABILITY_MAX_ESTIMATED_NESTING_DEPTH limits DOM nesting to 3,000 levels.
// Additional response body size limits
// Source: https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147
const EXTRACT_MODES = ["markdown", "text"] as const;
const DEFAULT_FETCH_MAX_CHARS = 50_000;
+const DEFAULT_FETCH_MAX_RESPONSE_BYTES = 2_000_000;
+const FETCH_MAX_RESPONSE_BYTES_MIN = 32_000;
+const FETCH_MAX_RESPONSE_BYTES_MAX = 10_000_000;
const DEFAULT_FETCH_MAX_REDIRECTS = 3;
const DEFAULT_ERROR_MAX_CHARS = 4_000;
+const DEFAULT_ERROR_MAX_BYTES = 64_000;
const DEFAULT_FIRECRAWL_BASE_URL = "https://api.firecrawl.dev";
const DEFAULT_FIRECRAWL_MAX_AGE_MS = 172_800_000;
const DEFAULT_FETCH_USER_AGENT =
This portion of the fix adds byte-level limits on response bodies, defaulting to 2MB with configurable bounds between 32KB and 10MB.
Detection Methods for CVE-2026-28394
Indicators of Compromise
- Unusual memory consumption spikes in Gateway processes correlated with web_fetch operations
- Gateway service crashes or restarts with out-of-memory errors in logs
- HTTP requests to external URLs followed immediately by service degradation
- Log entries showing exceptionally large response body sizes being processed
Detection Strategies
- Monitor Gateway process memory usage and alert on abnormal growth patterns
- Implement logging for web_fetch tool invocations capturing target URLs and response sizes
- Track service availability metrics to identify DoS patterns
- Analyze user activity for suspicious URL fetch requests targeting unfamiliar domains
Monitoring Recommendations
- Configure memory threshold alerts for OpenClaw Gateway processes
- Enable detailed logging for the web_fetch tool to capture response metadata
- Implement rate limiting on fetch operations to reduce exposure
- Monitor for repeated Gateway restarts which may indicate active exploitation attempts
How to Mitigate CVE-2026-28394
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.15 or later immediately
- Review recent web_fetch operations for suspicious URLs or unusually large responses
- Implement network-level filtering to block requests to known malicious domains
- Consider temporarily disabling or restricting access to the web_fetch tool until patching is complete
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.15. The fix introduces multiple layers of protection including response body size limits (default 2MB, configurable between 32KB-10MB), HTML content character limits (1 million characters), and DOM nesting depth restrictions (3,000 levels). For detailed patch information, see the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Restrict web_fetch tool access to trusted users only until patching is possible
- Implement proxy-based URL filtering to prevent fetching from untrusted external sources
- Configure network-level response size limits if supported by your infrastructure
- Educate users about the risks of fetching URLs from untrusted sources
# Configuration example - restrict web_fetch access
# Apply network-level response size limits via reverse proxy (nginx example)
# Add to nginx configuration for OpenClaw Gateway
# Limit proxy response body size
proxy_max_temp_file_size 2m;
client_max_body_size 2m;
# Set timeout to prevent long-running requests
proxy_read_timeout 30s;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
