OpenClaw Denial-of-Service Vulnerability via Inbound Media Download Byte Limit Bypass
Vulnerability
A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.2.22. The issue arises because the application fails to consistently enforce configured inbound media byte limits before buffering remote media. This oversight occurs across multiple channel ingestion paths, allowing remote attackers to send oversized media payloads. The result is elevated memory usage and potential process instability.
Impact
Exploitation of this vulnerability leads to increased memory consumption and could cause the application to become unstable, potentially crashing or disrupting its normal operations.
Reproduction
The vulnerability can be reproduced by sending media files that exceed the allowed byte limit through any of the supported channels (Discord, Telegram, Zalo, Microsoft Teams, or BlueBubbles). The application will buffer these oversized files, causing a spike in memory usage before eventually rejecting the payload.
Remediation
Users can update to OpenClaw version 2026.2.22 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.