CVE-2026-28478
OpenClaw affected by denial of service via unbounded webhook request body buffering
Description
### Summary Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability. ### Details Affected packages: - `openclaw` (npm): `<2026.2.12` - `clawdbot` (npm): `<=2026.1.24-3` Root cause: - Webhook code paths buffered request payloads without consistent `maxBytes` + `timeoutMs` enforcement. - Some SDK-backed handlers parse request bodies internally and needed stream-level guards. Attack shape: - Send very large JSON payloads or slow/incomplete uploads to webhook endpoints. - Observe elevated memory usage and request handler pressure. ### Impact Remote unauthenticated availability impact (DoS) via request body amplification/memory pressure. ### Patch details (implemented) - Added shared bounded request-body helper in `src/infra/http-body.ts`. - Exported helper in `src/plugin-sdk/index.ts` for extension reuse. - Migrated webhook body readers to shared helper for: - LINE - Nextcloud Talk - Google Chat - Zalo - BlueBubbles - Nostr profile HTTP - Voice-call - Gateway hooks - Added stream guards for SDK handlers that parse request bodies internally: - Slack - Telegram - Feishu - Added explicit Express JSON body limit handling for MS Teams webhook path. - Standardized failure responses: - `413 Payload Too Large` - `408 Request Timeout` ### Tests - Added regression tests: - `src/infra/http-body.test.ts` - `src/line/monitor.read-body.test.ts` - `extensions/nextcloud-talk/src/monitor.read-body.test.ts` - Focused webhook/security test suite passes for patched paths. ### Remediation Upgrade to the first release containing this patch. ## Credits Thanks @vincentkoc for reporting.
How to fix CVE-2026-28478
To remediate CVE-2026-28478, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2026.2.13 or later
Is CVE-2026-28478 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.