CVE-2026-28478: OpenClaw affected by denial of service via unbounded webhook request body buffering

February 18, 2026 (updated March 5, 2026)

Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.

References

github.com/advisories/GHSA-q447-rj3r-2cgh
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh
nvd.nist.gov/vuln/detail/CVE-2026-28478

Code Behaviors & Features

Detect and mitigate CVE-2026-28478 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →