OpenClaw npm packages, Unauthenticated DoS, CVE-2026-XXXXX (High)

Listen to this Post

This vulnerability stems from multiple webhook handlers within the OpenClaw and Clawdbot npm packages lacking a unified limit for request body size and processing time . The core issue is that these endpoints would accept and fully buffer incoming HTTP payloads without enforcing `maxBytes` and `timeoutMs` controls. A remote, unauthenticated attacker can exploit this by sending oversized or slowly delivered JSON payloads to various webhook endpoints, such as those for LINE, Google Chat, or MS Teams. This action causes the server to allocate excessive memory while attempting to buffer the entire malicious request. By amplifying resource consumption through multiple such requests, an attacker can induce significant memory pressure on the server. This pressure degrades the overall availability of the service, leading to a Denial-of-Service (DoS) condition. The vulnerability affects `openclaw` versions before 2026.2.12 and `clawdbot` versions up to 2026.1.24-3 . The fix involved creating a shared request-body helper with strict limits in `src/infra/http-body.ts` and migrating all vulnerable webhook paths to use it . Additionally, stream-level guards were added for SDK-based handlers, and endpoints now properly return `413 Payload Too Large` or `408 Request Timeout` errors .

dailycve form:

Platform: OpenClaw npm packages
Version: <2026.2.12 / <=2026.1.24-3
Vulnerability : Webhook DoS amplification
Severity: High
date: 2026-02-18

Prediction: Patched 2026.02.12

What Undercode Say:

Analytics:

Check installed version of openclaw
npm list openclaw
Check installed version of clawdbot
npm list clawdbot
View package metadata for openclaw from npm registry
npm view openclaw version
View package metadata for clawdbot from npm registry
npm view clawdbot version

How Exploit:

Send a large JSON payload to a vulnerable webhook endpoint to cause memory pressure
curl -X POST https://target.openclaw.ai/hooks/agent \
-H "Content-Type: application/json" \
--data-binary @<(dd if=/dev/zero bs=1M count=100 | tr '\0' 'X' && echo -n '{"data": "end"}')

Protection from this CVE:

Upgrade openclaw to the patched version
npm install [email protected]
Upgrade clawdbot to a patched version (if available beyond 2026.1.24-3)
npm install clawdbot@latest
Alternatively, use npm-check-updates to update
npx npm-check-updates -u openclaw
npm install

Impact:

Remote unauthenticated attackers can cause memory exhaustion, leading to service unavailability and degraded performance for all users .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top