Description
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.
Published: 2026-03-05
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through uncontrolled memory allocation
Action: Patch Now
AI Analysis

Impact

The vulnerability is caused by the fetchWithGuard function allocating entire response payloads in memory before applying a maxBytes limit. Remote attackers can trigger memory exhaustion by sending oversized responses without content‑length headers, resulting in memory resource depletion and loss of availability. This weakness is catalogued as CWE‑770, an unbounded memory allocation in a denial of service scenario.

Affected Systems

OpenClaw versions earlier than 2026.2.14 are affected. The vulnerability exists in the OpenClaw application, which is built on Node.js platforms.

Risk and Exploitability

The CVSS base score is 8.7, indicating a high severity. The EPSS score is below 1 %, suggesting a low probability of exploitation at any given time, and the vulnerability is not listed in the CISA KEV catalog. Attackers would exploit the flaw remotely by initiating HTTP requests with very large bodies without content‑length headers, causing the server to consume excessive memory until it crashes or becomes unreachable.

Generated by OpenCVE AI on April 18, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.14 or later
  • Configure a reverse proxy or application firewall to enforce maximum request body size and enforce content‑length headers
  • Deploy operating‑system or container resource limits to contain memory usage per process

Generated by OpenCVE AI on April 18, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j27p-hq53-9wgc OpenClaw affected by denial of service via unbounded URL-backed media fetch
History

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.
Title OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T20:37:30.422Z

Reserved: 2026-03-04T16:16:15.967Z

Link: CVE-2026-29609

cve-icon Vulnrichment

Updated: 2026-03-09T20:37:18.381Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:24.043

Modified: 2026-03-11T01:03:36.773

Link: CVE-2026-29609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses