Description
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Patch
AI Analysis

Impact

OpenClaw before 2026.4.8 improperly validates input in base64 decode paths, allocating memory before enforcing decoded‑size limits. Because of this oversight, an attacker can supply crafted base64 strings that trigger excessive memory allocation, exhausting system resources and causing the service to crash. This flaw is a classic example of CWE-770, where resources are allocated without adequate limits, and it results only in denial of service, not remote code execution.

Affected Systems

The product affected is OpenClaw:OpenClaw. All releases prior to 2026.4.8 are vulnerable, including any intermediate patch levels that do not include the fix.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate severity. No EPSS score is available, making it difficult to gauge exploitation probability; however, because the flaw relies on an input decoding function that is commonly exposed, a remote attacker could likely trigger it by sending large base64 payloads to the affected API endpoints. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been documented. The attack is inferred to be remote, based on the exposure of base64 decode functions in network services.

Generated by OpenCVE AI on April 28, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.8 or later to include the input validation fix.
  • If an immediate upgrade is not possible, limit the size or rate of base64 input accepted by the service and reject payloads that exceed reasonable thresholds.
  • Monitor memory usage and set alerts for anomalous consumption to detect and mitigate denial‑of‑service attempts.

Generated by OpenCVE AI on April 28, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.
Title OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:10:11.948Z

Reserved: 2026-04-27T11:38:59.195Z

Link: CVE-2026-42420

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:45.680

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-42420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses