PT-2026-23530 · Openclaw+1 · Openclaw+1
Vincent Koc
·
Published
2026-02-18
·
Updated
2026-03-07
·
CVE-2026-28452
CVSS v4.0
6.7
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.14
clawdbot versions prior to 2026.1.24-3
Description
The software contains a denial of service issue in the
extractArchive function within src/infra/archive.ts. Attackers can provide maliciously crafted ZIP and TAR archives during install or update operations to consume excessive CPU, memory, and disk resources. This can lead to service degradation or system unavailability. The issue stems from a lack of strict resource budgets during archive extraction.Recommendations
OpenClaw versions prior to 2026.2.14 should be updated to version 2026.2.14 or later.
clawdbot versions prior to 2026.1.24-3 should be updated to version 2026.1.24-3 or later.
Fix
DoS
Allocation of Resources Without Limits
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw
Clawdbot