CVE-2026-32066

OpenClaw before 2026.3.1 contains an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger memory exhaustion by varying query strings. Attackers can send repeated requests with different query parameters to the same webhook route, causing unbounded in-memory key accumulation that leads to memory pressure, process instability, or out-of-memory conditions.