{"id":"GHSA-p536-vvpp-9mc8","summary":"OpenClaw has a Web Fetch DoS via unbounded response parsing","details":"### Summary\nThe `web_fetch` tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to parse attacker-controlled web pages with oversized response bodies or pathological HTML nesting.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.14`\n- Fixed versions: `\u003e= 2026.2.15`\n\n### Impact\nAn attacker can social-engineer a user (or any automation that uses `web_fetch`) into fetching a malicious URL that returns extremely large or deeply nested HTML. The Gateway may exhaust memory or become unresponsive, causing a denial of service.\n\n### Fix\nThe Gateway now caps the downloaded response body size before any HTML parsing and adds additional guards to avoid running Readability/DOM parsing on pathological HTML.\n\n### Fix Commit(s)\n- 166cf6a3e04c7df42bea70a7ad5ce2b9df46d147\n\n### Release Process Note\nThis advisory is prepared for the next npm release. Once `openclaw@2026.2.15` is published, publish this advisory without further edits.\n\nThanks @xuemian168 for reporting.","aliases":["CVE-2026-28394"],"modified":"2026-03-05T21:42:20Z","published":"2026-02-19T19:40:56Z","database_specific":{"github_reviewed_at":"2026-02-19T19:40:56Z","github_reviewed":true,"severity":"MODERATE","nvd_published_at":null,"cwe_ids":["CWE-400"]},"references":[{"type":"WEB","url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147"},{"type":"PACKAGE","url":"https://github.com/openclaw/openclaw"},{"type":"WEB","url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"}],"affected":[{"package":{"name":"openclaw","ecosystem":"npm","purl":"pkg:npm/openclaw"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2026.2.15"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p536-vvpp-9mc8/GHSA-p536-vvpp-9mc8.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}