CVE-2026-41408
MEDIUMOpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
Title source: cnaDescription
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.
References (3)
Core 3
Core References
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-4g5x-2jfc-xm98)
https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass
Scores
CVSS v3
4.3
EPSS
0.0034
EPSS Percentile
25.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (4)
npm/openclaw
0 - 2026.3.31npm
OpenClaw/OpenClaw
< 2026.3.31
openclaw/openclaw
< 2026.3.31
OpenClaw/OpenClaw
2026.3.31
Published
Apr 28, 2026
Tracked Since
Apr 29, 2026