Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-28478 (GCVE-0-2026-28478)
Vulnerability from cvelistv5 – Published: 2026-03-05 21:59 – Updated: 2026-03-09 18:12
VLAI?
EPSS
Title
OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering
Summary
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/3cbcb… | patch |
| https://www.vulncheck.com/advisories/openclaw-den… | third-party-advisory |
Impacted products
Date Public ?
2026-02-15 00:00
Credits
Vincent Koc (@vincentkoc)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T18:11:57.553824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:12:08.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.2.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.2.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Vincent Koc (@vincentkoc)"
}
],
"datePublic": "2026-02-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T22:28:17.627Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-q447-rj3r-2cgh)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering"
}
],
"title": "OpenClaw \u003c 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-28478",
"datePublished": "2026-03-05T21:59:53.887Z",
"dateReserved": "2026-02-27T19:20:17.867Z",
"dateUpdated": "2026-03-09T18:12:08.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28478",
"date": "2026-05-14",
"epss": "0.00142",
"percentile": "0.33986"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28478\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-03-05T22:16:22.210\",\"lastModified\":\"2026-03-17T18:03:34.133\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.\"},{\"lang\":\"es\",\"value\":\"Las versiones de OpenClaw anteriores a 2026.2.13 contienen una vulnerabilidad de denegaci\u00f3n de servicio en los manejadores de webhooks que almacenan en b\u00fafer los cuerpos de las solicitudes sin l\u00edmites estrictos de bytes o de tiempo. Atacantes remotos no autenticados pueden enviar cargas \u00fatiles JSON de tama\u00f1o excesivo o cargas lentas a los puntos finales de webhook, causando presi\u00f3n en la memoria y degradaci\u00f3n de la disponibilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"2026.2.13\",\"matchCriteriaId\":\"E4A04671-72CA-4A53-A994-F382557349BB\"}]}]}],\"references\":[{\"url\":\"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28478\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T18:11:57.553824Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T18:12:04.202Z\"}}], \"cna\": {\"title\": \"OpenClaw \u003c 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Vincent Koc (@vincentkoc)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"OpenClaw\", \"product\": \"OpenClaw\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2026.2.13\", \"versionType\": \"custom\"}], \"packageURL\": \"pkg:npm/openclaw\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-02-15T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh\", \"name\": \"GitHub Security Advisory (GHSA-q447-rj3r-2cgh)\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930\", \"name\": \"Patch Commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering\", \"name\": \"VulnCheck Advisory: OpenClaw \u003c 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"Allocation of Resources Without Limits or Throttling\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2026.2.13\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-03-05T22:28:17.627Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28478\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T18:12:08.104Z\", \"dateReserved\": \"2026-02-27T19:20:17.867Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-03-05T21:59:53.887Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
WID-SEC-W-2026-0424
Vulnerability from csaf_certbund - Published: 2026-02-15 23:00 - Updated: 2026-03-05 23:00Summary
OpenClaw: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: OpenClaw ist ein persönlicher KI-Assistent zur Ausführung auf eigenen Geräten.
Angriff: Ein Angreifer kann diese Schwachstellen in OpenClaw ausnutzen, um beliebigen Programmcode auszuführen, sich erhöhte Berechtigungen zu verschaffen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen oder andere, nicht näher bezeichnete Angriffe durchzuführen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
References
69 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "OpenClaw ist ein pers\u00f6nlicher KI-Assistent zur Ausf\u00fchrung auf eigenen Ger\u00e4ten.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann diese Schwachstellen in OpenClaw ausnutzen, um beliebigen Programmcode auszuf\u00fchren, sich erh\u00f6hte Berechtigungen zu verschaffen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder andere, nicht n\u00e4her bezeichnete Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0424 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0424.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0424 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0424"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33rq-m5x2-fvgf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3hcm-ggvf-rch5"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4564-pvr2-qq4h"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-47q7-97xp-m272"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jfv4-h8mc-jcp8"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jmm5-fvh5-gf4p"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mp5h-m6qj-6292"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mv9j-6xhh-g383"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj77-c3c8-9c3q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qrq5-wjgg-rvqw"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wfp2-v9c7-fh79"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c"
}
],
"source_lang": "en-US",
"title": "OpenClaw: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-05T23:00:00.000+00:00",
"generator": {
"date": "2026-03-06T07:07:21.689+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0424",
"initial_release_date": "2026-02-15T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-15T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-03-05T23:00:00.000+00:00",
"number": "2",
"summary": "CVE-Nummern erg\u00e4nzt"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2026.2.14",
"product": {
"name": "Open Source OpenClaw \u003c2026.2.14",
"product_id": "T050918"
}
},
{
"category": "product_version",
"name": "2026.2.14",
"product": {
"name": "Open Source OpenClaw 2026.2.14",
"product_id": "T050918-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:openclaw:openclaw:2026.2.14"
}
}
}
],
"category": "product_name",
"name": "OpenClaw"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-28391",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28391"
},
{
"cve": "CVE-2026-28392",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28392"
},
{
"cve": "CVE-2026-28393",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28393"
},
{
"cve": "CVE-2026-28395",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28395"
},
{
"cve": "CVE-2026-28446",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28446"
},
{
"cve": "CVE-2026-28447",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28447"
},
{
"cve": "CVE-2026-28448",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28448"
},
{
"cve": "CVE-2026-28450",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28450"
},
{
"cve": "CVE-2026-28451",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28451"
},
{
"cve": "CVE-2026-28452",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28452"
},
{
"cve": "CVE-2026-28453",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28453"
},
{
"cve": "CVE-2026-28454",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28454"
},
{
"cve": "CVE-2026-28456",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28456"
},
{
"cve": "CVE-2026-28457",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28457"
},
{
"cve": "CVE-2026-28458",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28458"
},
{
"cve": "CVE-2026-28459",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28459"
},
{
"cve": "CVE-2026-28462",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28462"
},
{
"cve": "CVE-2026-28463",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28463"
},
{
"cve": "CVE-2026-28464",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28464"
},
{
"cve": "CVE-2026-28465",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28465"
},
{
"cve": "CVE-2026-28466",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28466"
},
{
"cve": "CVE-2026-28467",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28467"
},
{
"cve": "CVE-2026-28468",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28468"
},
{
"cve": "CVE-2026-28469",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28469"
},
{
"cve": "CVE-2026-28470",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28470"
},
{
"cve": "CVE-2026-28471",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28471"
},
{
"cve": "CVE-2026-28472",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28472"
},
{
"cve": "CVE-2026-28473",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28473"
},
{
"cve": "CVE-2026-28474",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28474"
},
{
"cve": "CVE-2026-28475",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28475"
},
{
"cve": "CVE-2026-28476",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28476"
},
{
"cve": "CVE-2026-28477",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28477"
},
{
"cve": "CVE-2026-28478",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28478"
},
{
"cve": "CVE-2026-28480",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28480"
},
{
"cve": "CVE-2026-28481",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28481"
},
{
"cve": "CVE-2026-28482",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28482"
},
{
"cve": "CVE-2026-28485",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28485"
},
{
"cve": "CVE-2026-28486",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28486"
},
{
"cve": "CVE-2026-29606",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29606"
},
{
"cve": "CVE-2026-29609",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29609"
},
{
"cve": "CVE-2026-29610",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29610"
},
{
"cve": "CVE-2026-29611",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29611"
},
{
"cve": "CVE-2026-29612",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29612"
},
{
"cve": "CVE-2026-29613",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29613"
}
]
}
FKIE_CVE-2026-28478
Vulnerability from fkie_nvd - Published: 2026-03-05 22:16 - Updated: 2026-03-17 18:03
Severity ?
Summary
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E4A04671-72CA-4A53-A994-F382557349BB",
"versionEndExcluding": "2026.2.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation."
},
{
"lang": "es",
"value": "Las versiones de OpenClaw anteriores a 2026.2.13 contienen una vulnerabilidad de denegaci\u00f3n de servicio en los manejadores de webhooks que almacenan en b\u00fafer los cuerpos de las solicitudes sin l\u00edmites estrictos de bytes o de tiempo. Atacantes remotos no autenticados pueden enviar cargas \u00fatiles JSON de tama\u00f1o excesivo o cargas lentas a los puntos finales de webhook, causando presi\u00f3n en la memoria y degradaci\u00f3n de la disponibilidad."
}
],
"id": "CVE-2026-28478",
"lastModified": "2026-03-17T18:03:34.133",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "disclosure@vulncheck.com",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2026-03-05T22:16:22.210",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Patch"
],
"url": "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "disclosure@vulncheck.com",
"type": "Primary"
}
]
}
GHSA-Q447-RJ3R-2CGH
Vulnerability from github – Published: 2026-02-18 00:53 – Updated: 2026-03-05 21:53
VLAI?
Summary
OpenClaw affected by denial of service via unbounded webhook request body buffering
Details
Summary
Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.
Details
Affected packages:
- openclaw (npm): <2026.2.12
- clawdbot (npm): <=2026.1.24-3
Root cause:
- Webhook code paths buffered request payloads without consistent maxBytes + timeoutMs enforcement.
- Some SDK-backed handlers parse request bodies internally and needed stream-level guards.
Attack shape: - Send very large JSON payloads or slow/incomplete uploads to webhook endpoints. - Observe elevated memory usage and request handler pressure.
Impact
Remote unauthenticated availability impact (DoS) via request body amplification/memory pressure.
Patch details (implemented)
- Added shared bounded request-body helper in
src/infra/http-body.ts. - Exported helper in
src/plugin-sdk/index.tsfor extension reuse. - Migrated webhook body readers to shared helper for:
- LINE
- Nextcloud Talk
- Google Chat
- Zalo
- BlueBubbles
- Nostr profile HTTP
- Voice-call
- Gateway hooks
- Added stream guards for SDK handlers that parse request bodies internally:
- Slack
- Telegram
- Feishu
- Added explicit Express JSON body limit handling for MS Teams webhook path.
- Standardized failure responses:
413 Payload Too Large408 Request Timeout
Tests
- Added regression tests:
src/infra/http-body.test.tssrc/line/monitor.read-body.test.tsextensions/nextcloud-talk/src/monitor.read-body.test.ts- Focused webhook/security test suite passes for patched paths.
Remediation
Upgrade to the first release containing this patch.
Credits
Thanks @vincentkoc for reporting.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "clawdbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.1.24-3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28478"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T00:53:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nMultiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.\n\n### Details\nAffected packages:\n- `openclaw` (npm): `\u003c2026.2.12`\n- `clawdbot` (npm): `\u003c=2026.1.24-3`\n\nRoot cause:\n- Webhook code paths buffered request payloads without consistent `maxBytes` + `timeoutMs` enforcement.\n- Some SDK-backed handlers parse request bodies internally and needed stream-level guards.\n\nAttack shape:\n- Send very large JSON payloads or slow/incomplete uploads to webhook endpoints.\n- Observe elevated memory usage and request handler pressure.\n\n### Impact\nRemote unauthenticated availability impact (DoS) via request body amplification/memory pressure.\n\n### Patch details (implemented)\n- Added shared bounded request-body helper in `src/infra/http-body.ts`.\n- Exported helper in `src/plugin-sdk/index.ts` for extension reuse.\n- Migrated webhook body readers to shared helper for:\n - LINE\n - Nextcloud Talk\n - Google Chat\n - Zalo\n - BlueBubbles\n - Nostr profile HTTP\n - Voice-call\n - Gateway hooks\n- Added stream guards for SDK handlers that parse request bodies internally:\n - Slack\n - Telegram\n - Feishu\n- Added explicit Express JSON body limit handling for MS Teams webhook path.\n- Standardized failure responses:\n - `413 Payload Too Large`\n - `408 Request Timeout`\n\n### Tests\n- Added regression tests:\n - `src/infra/http-body.test.ts`\n - `src/line/monitor.read-body.test.ts`\n - `extensions/nextcloud-talk/src/monitor.read-body.test.ts`\n- Focused webhook/security test suite passes for patched paths.\n\n### Remediation\nUpgrade to the first release containing this patch.\n\n## Credits\nThanks @vincentkoc for reporting.",
"id": "GHSA-q447-rj3r-2cgh",
"modified": "2026-03-05T21:53:39Z",
"published": "2026-02-18T00:53:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw affected by denial of service via unbounded webhook request body buffering"
}
CNVD-2026-13800
Vulnerability from cnvd - Published: 2026-03-12
VLAI Severity ?
Title
OpenClaw拒绝服务漏洞(CNVD-2026-13800)
Description
OpenClaw是用于处理Webhook事件的开源框架。
OpenClaw存在拒绝服务漏洞。攻击者可利用该漏洞通过发送超大JSON负载或缓慢上传引发内存压力,导致服务不可用。
Severity
高
Patch Name
OpenClaw拒绝服务漏洞(CNVD-2026-13800)的补丁
Patch Description
OpenClaw是用于处理Webhook事件的开源框架。
OpenClaw存在拒绝服务漏洞。攻击者可利用该漏洞通过发送超大JSON负载或缓慢上传引发内存压力,导致服务不可用。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞。补丁获取链接: https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh
Reference
https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930
https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering
Impacted products
| Name | OpenClaw OpenClaw <2026.2.13 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2026-28478",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478"
}
},
"description": "OpenClaw\u662f\u7528\u4e8e\u5904\u7406Webhook\u4e8b\u4ef6\u7684\u5f00\u6e90\u6846\u67b6\u3002\n\nOpenClaw\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u8d85\u5927JSON\u8d1f\u8f7d\u6216\u7f13\u6162\u4e0a\u4f20\u5f15\u53d1\u5185\u5b58\u538b\u529b\uff0c\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\u3002\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2026-13800",
"openTime": "2026-03-12",
"patchDescription": "OpenClaw\u662f\u7528\u4e8e\u5904\u7406Webhook\u4e8b\u4ef6\u7684\u5f00\u6e90\u6846\u67b6\u3002\r\n\r\nOpenClaw\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u8d85\u5927JSON\u8d1f\u8f7d\u6216\u7f13\u6162\u4e0a\u4f20\u5f15\u53d1\u5185\u5b58\u538b\u529b\uff0c\u5bfc\u81f4\u670d\u52a1\u4e0d\u53ef\u7528\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "OpenClaw\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff08CNVD-2026-13800\uff09\u7684\u8865\u4e01",
"products": {
"product": "OpenClaw OpenClaw \u003c2026.2.13"
},
"referenceLink": "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930\r\nhttps://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh\r\nhttps://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering",
"serverity": "\u9ad8",
"submitTime": "2026-03-12",
"title": "OpenClaw\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff08CNVD-2026-13800\uff09"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…