Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw may run out of memory if sent large media files
GHSA-rxxp-482v-7mrh
Summary
A security issue in OpenClaw could allow an attacker to send very large media files, causing the software to run out of memory and become unstable. This could happen if a user is sent a large file through OpenClaw, and it may not be fixed until the next software update is released. To stay safe, you should wait for the next update to be released before using the software again.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
Original description
## Summary
OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2` (latest published at triage time)
- Fixed in: `2026.2.22` (planned next release)
## Impact
An attacker could cause elevated memory usage and potential process instability (denial of service) by sending oversized media payloads.
## Fix Commit(s)
- `73d93dee64127a26f1acd09d0403b794cdeb4f5c`
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). After that npm release is published, this advisory can be published without further version-field edits.
OpenClaw thanks @tdjackey for reporting.
OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2` (latest published at triage time)
- Fixed in: `2026.2.22` (planned next release)
## Impact
An attacker could cause elevated memory usage and potential process instability (denial of service) by sending oversized media payloads.
## Fix Commit(s)
- `73d93dee64127a26f1acd09d0403b794cdeb4f5c`
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). After that npm release is published, this advisory can be published without further version-field edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-770
Allocation of Resources Without Limits
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026