CVE-2026-35633

MEDIUM

OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses

Title source: cna

Description

OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.

References (4)

Core 4

Core References

Third Party Advisory third-party-advisory

GitHub Security Advisory (GHSA-4qwc-c7g9-4xcw)

https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw

Patch patch

Patch Commit #1

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

View Patch ZIP pw:eip

Patch patch

Patch Commit #2

https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses

https://www.vulncheck.com/advisories/openclaw-unbounded-memory-allocation-via-remote-media-error-responses

Scores

CVSS v3 5.3

EPSS 0.0036

EPSS Percentile 27.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770 CWE-789

Status published

Products (4)

npm/openclaw 0 - 2026.3.22npm

OpenClaw/OpenClaw < 2026.3.22

openclaw/openclaw < 2026.3.22

OpenClaw/OpenClaw 2026.3.22

Published Apr 09, 2026

Tracked Since Apr 10, 2026