Listen to this Post
This vulnerability stems from multiple webhook handlers within the OpenClaw and Clawdbot npm packages lacking a unified limit for request body size and processing time . The core issue is that these endpoints would accept and fully buffer incoming HTTP payloads without enforcing `maxBytes` and `timeoutMs` controls. A remote, unauthenticated attacker can exploit this by sending oversized or slowly delivered JSON payloads to various webhook endpoints, such as those for LINE, Google Chat, or MS Teams. This action causes the server to allocate excessive memory while attempting to buffer the entire malicious request. By amplifying resource consumption through multiple such requests, an attacker can induce significant memory pressure on the server. This pressure degrades the overall availability of the service, leading to a Denial-of-Service (DoS) condition. The vulnerability affects `openclaw` versions before 2026.2.12 and `clawdbot` versions up to 2026.1.24-3 . The fix involved creating a shared request-body helper with strict limits in `src/infra/http-body.ts` and migrating all vulnerable webhook paths to use it . Additionally, stream-level guards were added for SDK-based handlers, and endpoints now properly return `413 Payload Too Large` or `408 Request Timeout` errors .
dailycve form:
Platform: OpenClaw npm packages
Version: <2026.2.12 / <=2026.1.24-3
Vulnerability : Webhook DoS amplification
Severity: High
date: 2026-02-18
Prediction: Patched 2026.02.12
What Undercode Say:
Analytics:
Check installed version of openclaw npm list openclaw Check installed version of clawdbot npm list clawdbot View package metadata for openclaw from npm registry npm view openclaw version View package metadata for clawdbot from npm registry npm view clawdbot version
How Exploit:
Send a large JSON payload to a vulnerable webhook endpoint to cause memory pressure
curl -X POST https://target.openclaw.ai/hooks/agent \
-H "Content-Type: application/json" \
--data-binary @<(dd if=/dev/zero bs=1M count=100 | tr '\0' 'X' && echo -n '{"data": "end"}')
Protection from this CVE:
Upgrade openclaw to the patched version npm install [email protected] Upgrade clawdbot to a patched version (if available beyond 2026.1.24-3) npm install clawdbot@latest Alternatively, use npm-check-updates to update npx npm-check-updates -u openclaw npm install
Impact:
Remote unauthenticated attackers can cause memory exhaustion, leading to service unavailability and degraded performance for all users .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

