Description
OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.
Published: 2026-03-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in OpenClaw versions older than 2026.2.22. A flaw in the inbound media handling allows an attacker to upload media larger than the configured byte limit. The software accepts the oversized payload, buffers it before enforcing the limit, and consumes expanding memory. This can crash the process or consume multiple gigabytes of RAM, leading to denial of service. The weakness aligns with CWE-770, Resource Exhaustion.

Affected Systems

Systems running OpenClaw prior to 2026.2.22 are impacted. This includes any installation of the OpenClaw application packaged with the tagged releases. No specific platform restrictions are listed, so the issue applies across all environments that deploy the vulnerable node.js code base.

Risk and Exploitability

The CVSS base score of 8.7 rates the issue as High. OpenClaw's own vulnerability advisory explains that no exploit code is required; the attacker only needs to transmit large media files, a capability available from any remote network. The EPSS score is not listed, and the vulnerability is not yet in the CISA KEV catalogue. As a result, the risk is high and the likelihood of exploitation is significant, especially in services that accept user uploaded media without additional infrastructure checks.

Generated by OpenCVE AI on March 21, 2026 at 06:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OpenClaw release (2026.2.22 or later).
  • Verify that the inbound media byte limit enforcement is active in production.
  • Configure application or network firewalls to reject payloads exceeding the allowed size.
  • Monitor logs for unusually large media ingestion events and set up alerts for repeated failures.

Generated by OpenCVE AI on March 21, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rxxp-482v-7mrh OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.
Title OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T15:22:25.521Z

Reserved: 2026-03-10T19:48:47.515Z

Link: CVE-2026-32049

cve-icon Vulnrichment

Updated: 2026-03-24T15:22:21.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T01:17:07.700

Modified: 2026-03-23T17:09:08.487

Link: CVE-2026-32049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:25Z

Weaknesses