CVE-2026-32049

HIGH

OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass

Title source: cna

Description

OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh

[Patch] https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass

Scores

CVSS v3 7.5

EPSS 0.0017

EPSS Percentile 38.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (4)

npm/openclaw 0 - 2026.2.22npm

OpenClaw/OpenClaw < 2026.2.22

openclaw/openclaw < 2026.2.22

OpenClaw/OpenClaw 2026.2.22

Published Mar 21, 2026

Tracked Since Mar 21, 2026