CVE-2026-28394: OpenClaw has a Web Fetch DoS via unbounded response parsing
(updated )
The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.
References
- github.com/advisories/GHSA-p536-vvpp-9mc8
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147
- github.com/openclaw/openclaw/releases/tag/v2026.2.15
- github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8
- nvd.nist.gov/vuln/detail/CVE-2026-28394
Code Behaviors & Features
Detect and mitigate CVE-2026-28394 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →