OpenClaw Denial-of-Service Vulnerability via Unbounded URL-Backed Media Fetch
Vulnerability
A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.2.14. The issue arises in the fetchWithGuard function, which allocates entire response payloads in memory using the arrayBuffer method, before applying maxBytes limits. This flaw allows remote attackers to cause memory exhaustion by sending oversized responses without content-length headers, leading to a loss of availability.
Impact
Exploitation of this vulnerability causes memory exhaustion, leading to availability loss.
Reproduction
The vulnerability can be reproduced by configuring URL-based media input and serving a response larger than the maxBytes limit, without a content-length header. When the fetchWithGuard function is triggered, the unbounded response is processed, causing memory exhaustion.
Remediation
Users can update to OpenClaw version 2026.2.14 or later, and until then, disable URL-backed media inputs or restrict them to a tight hostname allowlist.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.