OpenClaw Denial-of-Service Vulnerability in Webhook Request Body Handling
Vulnerability
A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.2.13. The issue arises in webhook handlers that buffer request bodies without enforcing strict byte or time limits. This flaw allows remote, unauthenticated attackers to send oversized JSON payloads or slow uploads to webhook endpoints, leading to increased memory usage and degraded availability.
Impact
Exploitation of this vulnerability causes a significant increase in memory usage and request handling pressure, leading to degraded application availability.
Reproduction
The vulnerability can be reproduced by sending large JSON payloads or by uploading data slowly to the webhook endpoints. This can be done using a tool that allows for the manipulation of request sizes and speeds, such as Postman or a custom script.
Remediation
Users are advised to upgrade to OpenClaw version 2026.2.13 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.