Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw Web Fetch Tool Crashes Due to Malicious HTML
CVE-2026-28394
GHSA-p536-vvpp-9mc8
Summary
OpenClaw versions prior to 2026.2.15 are at risk of crashing due to a vulnerability that can be triggered by malicious HTML. This could cause your service to become unavailable. Update to version 2026.2.15 or later to fix this issue.
What to do
- Update steipete openclaw to version 2026.2.15.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.15 | 2026.2.15 |
| openclaw | openclaw | <= 2026.2.15 | – |
Original title
OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversize...
Original description
OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious URLs with pathological HTML structures to exhaust server memory and cause service unavailability.
nvd CVSS3.1
6.5
nvd CVSS4.0
6.9
Vulnerability type
CWE-770
Allocation of Resources Without Limits
CWE-400
Uncontrolled Resource Consumption
- https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8
- https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-re...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.15
- https://github.com/advisories/GHSA-p536-vvpp-9mc8
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026