CVE-2026-28478

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.13 clawdbot versions prior to 2026.1.24-3

Description The software contains a denial of service issue in webhook handlers due to insufficient limits on request body size and processing time. Remote, unauthenticated attackers can exploit this by sending oversized JSON payloads or slow uploads to webhook endpoints, leading to increased memory usage and potential service degradation. The issue stems from a lack of consistent enforcement of maxBytes and timeoutMs limits on buffered request payloads across various webhook code paths. Specifically, some handlers parse request bodies internally without adequate stream-level protection. Affected webhook endpoints include LINE, Nextcloud Talk, Google Chat, Zalo, BlueBubbles, Nostr profile HTTP, voice-call, and gateway hooks. Additionally, Slack, Telegram, and Feishu handlers are vulnerable due to internal request body parsing. The MS Teams webhook path is also affected due to a lack of explicit Express JSON body limit handling.

Recommendations OpenClaw versions prior to 2026.2.13 should be upgraded to version 2026.2.13 or later. clawdbot versions prior to 2026.1.24-3 should be upgraded to version 2026.1.24-3 or later.