Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw: Large Webhook Requests Can Crash the Server
CVE-2026-28478
GHSA-q447-rj3r-2cgh
Summary
Some OpenClaw webhooks can be crashed by very large or slow uploads, causing the server to become unresponsive. This can happen when an attacker sends a huge amount of data to the webhook, causing the server to run out of memory. To fix this, the OpenClaw developers have added a limit on the amount of data that can be sent in a webhook request, and have also improved how the server handles slow uploads.
What to do
- Update steipete openclaw to version 2026.2.13.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.13 | 2026.2.13 |
| steipete | clawdbot | <= 2026.1.24-3 | – |
Original title
OpenClaw affected by denial of service via unbounded webhook request body buffering
Original description
### Summary
Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.
### Details
Affected packages:
- `openclaw` (npm): `<2026.2.12`
- `clawdbot` (npm): `<=2026.1.24-3`
Root cause:
- Webhook code paths buffered request payloads without consistent `maxBytes` + `timeoutMs` enforcement.
- Some SDK-backed handlers parse request bodies internally and needed stream-level guards.
Attack shape:
- Send very large JSON payloads or slow/incomplete uploads to webhook endpoints.
- Observe elevated memory usage and request handler pressure.
### Impact
Remote unauthenticated availability impact (DoS) via request body amplification/memory pressure.
### Patch details (implemented)
- Added shared bounded request-body helper in `src/infra/http-body.ts`.
- Exported helper in `src/plugin-sdk/index.ts` for extension reuse.
- Migrated webhook body readers to shared helper for:
- LINE
- Nextcloud Talk
- Google Chat
- Zalo
- BlueBubbles
- Nostr profile HTTP
- Voice-call
- Gateway hooks
- Added stream guards for SDK handlers that parse request bodies internally:
- Slack
- Telegram
- Feishu
- Added explicit Express JSON body limit handling for MS Teams webhook path.
- Standardized failure responses:
- `413 Payload Too Large`
- `408 Request Timeout`
### Tests
- Added regression tests:
- `src/infra/http-body.test.ts`
- `src/line/monitor.read-body.test.ts`
- `extensions/nextcloud-talk/src/monitor.read-body.test.ts`
- Focused webhook/security test suite passes for patched paths.
### Remediation
Upgrade to the first release containing this patch.
## Credits
Thanks @vincentkoc for reporting.
Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.
### Details
Affected packages:
- `openclaw` (npm): `<2026.2.12`
- `clawdbot` (npm): `<=2026.1.24-3`
Root cause:
- Webhook code paths buffered request payloads without consistent `maxBytes` + `timeoutMs` enforcement.
- Some SDK-backed handlers parse request bodies internally and needed stream-level guards.
Attack shape:
- Send very large JSON payloads or slow/incomplete uploads to webhook endpoints.
- Observe elevated memory usage and request handler pressure.
### Impact
Remote unauthenticated availability impact (DoS) via request body amplification/memory pressure.
### Patch details (implemented)
- Added shared bounded request-body helper in `src/infra/http-body.ts`.
- Exported helper in `src/plugin-sdk/index.ts` for extension reuse.
- Migrated webhook body readers to shared helper for:
- LINE
- Nextcloud Talk
- Google Chat
- Zalo
- BlueBubbles
- Nostr profile HTTP
- Voice-call
- Gateway hooks
- Added stream guards for SDK handlers that parse request bodies internally:
- Slack
- Telegram
- Feishu
- Added explicit Express JSON body limit handling for MS Teams webhook path.
- Standardized failure responses:
- `413 Payload Too Large`
- `408 Request Timeout`
### Tests
- Added regression tests:
- `src/infra/http-body.test.ts`
- `src/line/monitor.read-body.test.ts`
- `extensions/nextcloud-talk/src/monitor.read-body.test.ts`
- Focused webhook/security test suite passes for patched paths.
### Remediation
Upgrade to the first release containing this patch.
## Credits
Thanks @vincentkoc for reporting.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.7
Vulnerability type
CWE-770
Allocation of Resources Without Limits
CWE-400
Uncontrolled Resource Consumption
Published: 18 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026