PT-2026-23562 · Openclaw+1 · Openclaw+1
Vincent Koc
·
Published
2026-02-14
·
Updated
2026-03-11
·
CVE-2026-29609
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.14
clawdbot versions 2026.1.24 and earlier
Description
The software contains a denial of service issue in the
fetchWithGuard function. This function allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers, leading to availability loss. The affected component is located in src/media/input-files.ts. When the content-length is missing or incorrect, the response.arrayBuffer() function buffers the full payload before a size check can run.Recommendations
OpenClaw versions prior to 2026.2.14: Until a patched release is available, disable URL-backed media inputs or restrict them to a tight hostname allowlist and use conservative
maxBytes limits.
clawdbot versions 2026.1.24 and earlier: Until a patched release is available, disable URL-backed media inputs or restrict them to a tight hostname allowlist and use conservative maxBytes limits.Exploit
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw
Clawdbot