CVE-2026-29609

OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch

CVSS 8.7 HIGHEPSS 0.4%CWE-770

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.7EPSS 0.4%KEV nãoPoC —Patch referenciado

Lifecycle

05 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products

OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0 https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-url-backed-media-fetch