CVE-2026-29609

HIGH

OpenClaw <2026.2.14 - DoS

Title source: llm

Description

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc

[Patch] https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-url-backed-media-fetch

Scores

CVSS v3 7.5

EPSS 0.0017

EPSS Percentile 38.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (1)

openclaw/openclaw < 2026.2.14

Published Mar 05, 2026

Tracked Since Mar 06, 2026