Description
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.
Published: 2026-04-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Denial of Service via Disk Exhaustion
Action: Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.31 have a resource exhaustion vulnerability that allows an attacker to download media without triggering the core safety limits for file size, count, and cleanup operations. This flaw, classified as CWE‑770, enables an adversary to consume disk space at an arbitrary rate, eventually exhausting storage on the host and disrupting legitimate application and service operations.

Affected Systems

All installations of OpenClaw running a release earlier than 2026.3.31 are affected. The vulnerability is embedded in the media download handling routine and therefore applies to every server running those versions, regardless of platform or configuration details.

Risk and Exploitability

The CVSS score of 2.3 indicates a low overall severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a modest likelihood of exploitation. The flaw can be triggered by accessing the media download endpoint. Based on the description, it is inferred that the download functionality is reachable, but no specific authentication status is mentioned, so the endpoint could potentially be accessed without credentials. Once exploited, an attacker can gradually consume disk capacity until the system becomes unavailable, leading to a denial of service.

Generated by OpenCVE AI on April 29, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later, which removes the bypass of media download limits.
  • If an upgrade is not immediately possible, enforce manual file size and count limits at the application or network layer to prevent unlimited media downloads.
  • Monitor disk usage and set alerts or quotas to detect abnormal consumption patterns and react before full exhaustion occurs.

Generated by OpenCVE AI on April 29, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.
Title OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:36:09.031Z

Reserved: 2026-04-20T14:15:22.223Z

Link: CVE-2026-41408

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:44.567

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses