OpenClaw Memory Exhaustion Vulnerability via Improper Base64 Decoding Size Validation

A memory exhaustion vulnerability has been identified in OpenClaw versions prior to 2026.4.8. The issue arises from improper input validation in base64 decoding processes, where memory is allocated before applying size limits on the decoded data. This flaw can be exploited by attackers using specially crafted base64-encoded input, leading to memory exhaustion or denial-of-service conditions.

Impact

Exploitation of this vulnerability can cause memory exhaustion, leading to denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by sending base64-encoded input that exceeds the expected size limits. This can be done through any input field or parameter that accepts base64-encoded data, such as file uploads or data submission forms. The lack of proper size validation before memory allocation allows the crafted input to consume excessive memory resources, causing the application to slow down or become unresponsive.

Remediation

Users can upgrade to OpenClaw version 2026.4.8 or later to address this vulnerability.