Description
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
Published: 2026-03-05
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

OpenClaw versions earlier than 2026.2.14 allow attackers to trigger denial of service by feeding the program high‑expansion ZIP and TAR archives. The vulnerability resides in the extractArchive function in src/infra/archive.ts and enables the attacker to consume excessive CPU, memory, and disk resources, leading to service degradation or system unavailability. This is a classic instance of uncontrolled resource consumption, identified as CWE‑770.

Affected Systems

The affected product is OpenClaw, a Node.js application. Any installation of OpenClaw built from source or distributed binaries with a version older than 2026.2.14 is vulnerable. The vulnerability exists in the core archive extraction logic and is not limited to a particular operating system or deployment environment.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity, while the EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Remote attackers can potentially exploit the flaw by embedding malicious archives in install or update operations, which are typically executed with elevated privileges. The attack vector is inferred to be remote, via the update mechanism, and would require the attacker to provide a crafted archive to the target system. Given the nature of the resource exhaustion, even a single successful exploit can render the service unavailable to legitimate users.

Generated by OpenCVE AI on April 17, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.2.14 or later, which removes the unguarded archive extraction flaw.
  • Disable automatic installation of unverified archives until the patch is applied, ensuring only signed or verified packages are processed.
  • Configure resource limits or a watchdog on the extraction process to prevent system over‑utilization during archive unpacking.

Generated by OpenCVE AI on April 17, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h89v-j3x9-8wqj OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
Title OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T16:55:24.088Z

Reserved: 2026-02-27T19:17:10.435Z

Link: CVE-2026-28452

cve-icon Vulnrichment

Updated: 2026-03-09T16:55:19.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:17.410

Modified: 2026-03-09T18:30:09.077

Link: CVE-2026-28452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses