Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.7

OpenClaw versions prior to 2026.2.14 can be crashed by malicious archives

CVE-2026-28452 GHSA-h89v-j3x9-8wqj
Summary

Older versions of OpenClaw can crash or slow down if it's given a very large or specially designed ZIP or TAR file during an install or update. This can cause the service to become unavailable or not work properly. Update to version 2026.2.14 or later to fix this issue.

What to do
  • Update steipete openclaw to version 2026.2.14.
Affected software
VendorProductAffected versionsFix available
steipete openclaw <= 2026.2.14 2026.2.14
steipete clawdbot <= 2026.1.24-3
openclaw openclaw <= 2026.2.14
Original title
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and...
Original description
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
nvd CVSS3.1 5.5
nvd CVSS4.0 6.7
Vulnerability type
CWE-770 Allocation of Resources Without Limits
CWE-400 Uncontrolled Resource Consumption
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026