CVE-2026-35633

MEDIUM

OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses

Title source: cna

Description

OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.

References (4)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw

[Patch] https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

[Patch] https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-unbounded-memory-allocation-via-remote-media-error-responses

Scores

CVSS v3 5.3

EPSS 0.0018

EPSS Percentile 39.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-770 CWE-789

Status published

Products (4)

npm/openclaw 0 - 2026.3.22npm

OpenClaw/OpenClaw < 2026.3.22

openclaw/openclaw < 2026.3.22

OpenClaw/OpenClaw 2026.3.22

Published Apr 09, 2026

Tracked Since Apr 10, 2026