OpenClaw Unbounded Memory Allocation Vulnerability in Remote Media HTTP Error Handling
Vulnerability
A vulnerability allowing unbounded memory allocation has been identified in OpenClaw versions prior to 2026.3.22. This issue arises in the handling of remote media HTTP error responses, where the application fails to impose a limit on memory allocation. Attackers can exploit this by sending crafted HTTP error responses with large bodies to remote media endpoints, causing excessive memory consumption before the application can process the error. This vulnerability has been patched in version 2026.3.22 and is also present in the latest release, 2026.3.23-2.
Impact
Exploitation of this vulnerability leads to uncontrolled memory consumption, which can cause the application to fail or become unresponsive.
Reproduction
The vulnerability can be reproduced by sending an HTTP error response with a large body to a remote media endpoint in an OpenClaw version prior to 2026.3.22. The application will allocate memory based on the size of the response, leading to excessive memory usage.
Remediation
Users can upgrade to OpenClaw version 2026.3.22 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.