CVE-2026-29609

HIGH

OpenClaw <2026.2.14 - DoS

Title source: llm

Description

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.

References (3)

[Patch] https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-url-backed-media-fetch

Scores

CVSS v3 7.5

EPSS 0.0010

EPSS Percentile 27.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-770

Status draft

Timeline

Published Mar 05, 2026

Tracked Since Mar 06, 2026