OpenClaw Denial-of-Service Vulnerability via Oversized Base64-Encoded Media Inputs

A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.2.14. The issue arises because the application decodes base64-encoded media inputs into buffers without first enforcing size limits on the decoded data. This flaw allows remote attackers to send oversized base64 payloads, leading to large memory allocations that create memory pressure and cause denial-of-service conditions.

Impact

Exploitation of this vulnerability can lead to significant memory consumption, causing memory pressure and denial-of-service conditions on the affected system.

Reproduction

The vulnerability can be reproduced by sending base64-encoded media files that exceed the size limits typically enforced by the application. This can be done through channels that accept media inputs, such as file upload features or messaging attachments. The application will decode the oversized base64 data into a buffer, leading to large memory allocations before the size limit checks are applied.

Remediation

Users can upgrade to OpenClaw version 2026.2.14 or later to address this vulnerability.