CVE-2026-28478 Overview
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation. This vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling).
Critical Impact
Unauthenticated remote attackers can cause service unavailability by exploiting unbounded webhook body buffering, leading to memory exhaustion and denial of service conditions affecting OpenClaw deployments.
Affected Products
- OpenClaw versions prior to 2026.2.13
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28478 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28478
Vulnerability Analysis
This denial of service vulnerability exists in OpenClaw's webhook handling implementation. The affected components, including the BlueBubbles and Feishu extensions, process incoming webhook requests without implementing proper resource constraints on the request body. When a webhook endpoint receives a request, the handler buffers the entire request body into memory before processing. Without byte limits or timeout constraints, an attacker can exhaust server memory by sending extremely large payloads or maintain connections with slow data transmission rates (slowloris-style attacks).
The vulnerability affects network-accessible webhook endpoints that accept external input, making it exploitable by unauthenticated remote attackers. The impact is limited to availability—there is no evidence of data confidentiality or integrity compromise.
Root Cause
The root cause is the absence of bounded request body handling in webhook processors. The webhook handlers in multiple OpenClaw extensions read and buffer incoming HTTP request bodies without enforcing maximum size limits or connection timeout constraints. This design flaw allows attackers to allocate arbitrary amounts of server memory by controlling the size of incoming requests, ultimately leading to resource exhaustion.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending oversized JSON payloads to webhook endpoints, causing excessive memory allocation
- Initiating slow uploads (slowloris attack) that hold connections open while slowly transmitting data, tying up server resources
- Combining multiple concurrent requests to amplify the denial of service impact
The security patch introduces bounded request body handling by importing readRequestBodyWithLimit, isRequestBodyLimitError, and requestBodyErrorToText utilities, as well as installRequestBodyLimitGuard for server-level protection:
import type { OpenClawConfig } from "openclaw/plugin-sdk";
import {
createReplyPrefixOptions,
+ isRequestBodyLimitError,
logAckFailure,
logInboundDrop,
logTypingFailure,
+ readRequestBodyWithLimit,
resolveAckReaction,
resolveControlCommandGate,
+ requestBodyErrorToText,
} from "openclaw/plugin-sdk";
import type { ResolvedBlueBubblesAccount } from "./accounts.js";
import type { BlueBubblesAccountConfig, BlueBubblesAttachment } from "./types.js";
Source: GitHub Commit Update
-import type { ClawdbotConfig, RuntimeEnv, HistoryEntry } from "openclaw/plugin-sdk";
import * as Lark from "@larksuiteoapi/node-sdk";
import * as http from "http";
+import {
+ type ClawdbotConfig,
+ type RuntimeEnv,
+ type HistoryEntry,
+ installRequestBodyLimitGuard,
+} from "openclaw/plugin-sdk";
import type { ResolvedFeishuAccount } from "./types.js";
import { resolveFeishuAccount, listEnabledFeishuAccounts } from "./accounts.js";
import { handleFeishuMessage, type FeishuMessageEvent, type FeishuBotAddedEvent } from "./bot.js";
Source: GitHub Commit Update
Detection Methods for CVE-2026-28478
Indicators of Compromise
- Unusual memory consumption spikes on servers hosting OpenClaw webhook endpoints
- Abnormally large HTTP POST requests to webhook paths (e.g., /webhook, /callback endpoints)
- Multiple slow or stalled HTTP connections from single IP addresses
- Application crashes or out-of-memory errors in OpenClaw services
Detection Strategies
- Monitor HTTP request sizes to webhook endpoints and alert on payloads exceeding normal operational thresholds
- Implement network-level detection for slow HTTP POST attacks using connection duration metrics
- Configure application performance monitoring (APM) to track memory allocation patterns in webhook handlers
- Deploy web application firewall (WAF) rules to limit request body sizes for webhook endpoints
Monitoring Recommendations
- Enable memory utilization alerts for OpenClaw service processes with thresholds based on baseline behavior
- Log and analyze webhook endpoint traffic patterns to identify anomalous request volumes or sizes
- Monitor connection duration metrics to detect slowloris-style attack patterns
- Implement rate limiting metrics collection for webhook endpoints to establish baseline and detect abuse
How to Mitigate CVE-2026-28478
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.13 or later which includes the bounded webhook body handling fix
- Implement request body size limits at the reverse proxy or load balancer level as an interim measure
- Configure connection timeouts to terminate slow or stalled uploads
- Consider temporarily restricting access to webhook endpoints to known IP ranges if feasible
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.13. The fix implements bounded request body handling through new SDK utilities including readRequestBodyWithLimit and installRequestBodyLimitGuard. Review the GitHub Security Advisory for complete patch details and the specific commit 3cbcba1 for implementation details.
Workarounds
- Deploy a reverse proxy (nginx, HAProxy) in front of OpenClaw with client_max_body_size limits configured
- Implement connection timeout enforcement at the load balancer level to terminate slow uploads
- Use a web application firewall to enforce request body size restrictions on webhook endpoints
- Consider IP-based rate limiting for webhook endpoints until the patch can be applied
# Nginx configuration example for request body size limit
# Add to server or location block for webhook endpoints
client_max_body_size 10m;
client_body_timeout 30s;
client_header_timeout 30s;
# Rate limiting zone definition (add to http block)
limit_req_zone $binary_remote_addr zone=webhook_limit:10m rate=10r/s;
# Apply rate limiting to webhook location
location /webhook {
limit_req zone=webhook_limit burst=20 nodelay;
proxy_pass http://openclaw_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
