CVE-2026-28461
Published: 19 March 2026
Summary
CVE-2026-28461 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 ensures timely patching of known flaws like CVE-2026-28461 by upgrading OpenClaw to version 2026.3.1 or later, eliminating the unbounded memory growth vulnerability.
SC-5 directly protects against denial-of-service attacks, including resource exhaustion from repeated requests causing unbounded in-memory key accumulation at the Zalo webhook endpoint.
SC-6 enforces resource allocation policies to bound memory usage, preventing degradation from progressive key buildup triggered by varying query parameters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing Zalo webhook endpoint (CWE-770) is directly exploitable by unauthenticated remote attackers for memory exhaustion DoS via application exploitation.
NVD Description
OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different…
more
query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.
Deeper analysisAI
CVE-2026-28461, published on 2026-03-19, is an unbounded memory growth vulnerability (CWE-770) affecting OpenClaw versions prior to 2026.3.1. The issue resides in the Zalo webhook endpoint, where varying query strings trigger in-memory key accumulation without bounds. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high availability impact with no requirements for privileges, user interaction, or scope changes.
Unauthenticated remote attackers can exploit the vulnerability by sending repeated requests with different query parameters to the Zalo webhook endpoint. This causes progressive in-memory key buildup, resulting in memory pressure, process instability, or out-of-memory conditions that degrade service availability and potentially lead to denial-of-service.
Advisories from the OpenClaw GitHub security page (GHSA-wr6m-jg37-68xh) and VulnCheck recommend upgrading to OpenClaw version 2026.3.1 or later to mitigate the issue, as prior versions remain vulnerable to this unbounded memory growth.
Details
- CWE(s)