GHSA-p536-vvpp-9mc8: OpenClaw has a Web Fetch DoS via unbounded response parsing

February 19, 2026

The web_fetch tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.

References

github.com/advisories/GHSA-p536-vvpp-9mc8
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147
github.com/openclaw/openclaw/releases/tag/v2026.2.15
github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8

Code Behaviors & Features

Detect and mitigate GHSA-p536-vvpp-9mc8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →