Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Zalo Webhook May Cause Server Crash with Certain Query Strings
GHSA-wr6m-jg37-68xh
Summary
An attacker can send malicious requests to a Zalo webhook, causing the server to consume excessive memory, potentially leading to crashes or unavailability. This is a concern for servers hosting the affected version of the Zalo service. To fix this, update to the latest version of the service.
What to do
- Update openclaw to version 2026.3.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.1 |
Original title
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)
Original description
### Summary
Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.
### Impact
An attacker could cause memory pressure and potential process instability or OOM, degrading availability.
### Fix
Webhook security tracking now normalizes keys to matched webhook path semantics (query excluded) and bounds/prunes tracking state to prevent unbounded growth.
### Affected and Patched Versions
- Affected: `<= 2026.2.26`
- Patched: `2026.3.1`
Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.
### Impact
An attacker could cause memory pressure and potential process instability or OOM, degrading availability.
### Fix
Webhook security tracking now normalizes keys to matched webhook path semantics (query excluded) and bounds/prunes tracking state to prevent unbounded growth.
### Affected and Patched Versions
- Affected: `<= 2026.2.26`
- Patched: `2026.3.1`
ghsa CVSS4.0
6.9
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026