{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32049", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-10T19:48:47.515Z", "datePublished": "2026-03-21T00:42:21.905Z", "dateUpdated": "2026-03-24T15:22:25.521Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-21T00:42:21.905Z"}, "title": "OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass", "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability."}], "tags": ["x_open-source"], "datePublic": "2026-02-23T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "affected": [{"vendor": "OpenClaw", "product": "OpenClaw", "defaultStatus": "unaffected", "packageURL": "pkg:npm/openclaw", "versions": [{"version": "0", "status": "affected", "versionType": "semver", "lessThan": "2026.2.22"}, {"version": "2026.2.22", "status": "unaffected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.22"}]}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh", "name": "GitHub Security Advisory (GHSA-rxxp-482v-7mrh)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c", "name": "Patch Commit", "tags": ["patch"]}, {"name": "VulnCheck Advisory: OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass"}], "credits": [{"lang": "en", "value": "tdjackey", "type": "reporter"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:21:58.169876Z", "id": "CVE-2026-32049", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:22:25.521Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32049", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-10T19:48:47.515Z", "datePublished": "2026-03-21T00:42:21.905Z", "dateUpdated": "2026-03-24T15:22:25.521Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-21T00:42:21.905Z"}, "title": "OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass", "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability."}], "tags": ["x_open-source"], "datePublic": "2026-02-23T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "affected": [{"vendor": "OpenClaw", "product": "OpenClaw", "defaultStatus": "unaffected", "packageURL": "pkg:npm/openclaw", "versions": [{"version": "0", "status": "affected", "versionType": "semver", "lessThan": "2026.2.22"}, {"version": "2026.2.22", "status": "unaffected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.22"}]}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh", "name": "GitHub Security Advisory (GHSA-rxxp-482v-7mrh)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c", "name": "Patch Commit", "tags": ["patch"]}, {"name": "VulnCheck Advisory: OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass"}], "credits": [{"lang": "en", "value": "tdjackey", "type": "reporter"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32049", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:21:58.169876Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:22:21.956Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6EA3E555-7328-4665-9FBC-BF4357239EDF", "versionEndExcluding": "2026.2.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability."}], "id": "CVE-2026-32049", "lastModified": "2026-03-23T17:09:08.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-21T01:17:07.700", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.22)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2026.2.22"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenClaw", "source": "cna", "vendor": "OpenClaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-03-21T06:57:42.513794+00:00", "value": {"mitigation_remediation": ["Apply the latest OpenClaw release (2026.2.22 or later).", "Verify that the inbound media byte limit enforcement is active in production.", "Configure application or network firewalls to reject payloads exceeding the allowed size.", "Monitor logs for unusually large media ingestion events and set up alerts for repeated failures."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Systems running OpenClaw prior to 2026.2.22 are impacted. This includes any installation of the OpenClaw application packaged with the tagged releases. No specific platform restrictions are listed, so the issue applies across all environments that deploy the vulnerable node.js code base.", "description_and_impact": "The vulnerability resides in OpenClaw versions older than 2026.2.22. A flaw in the inbound media handling allows an attacker to upload media larger than the configured byte limit. The software accepts the oversized payload, buffers it before enforcing the limit, and consumes expanding memory. This can crash the process or consume multiple gigabytes of RAM, leading to denial of service. The weakness aligns with CWE-770, Resource Exhaustion.", "risk_and_exploitability": "The CVSS base score of 8.7 rates the issue as High. OpenClaw's own vulnerability advisory explains that no exploit code is required; the attacker only needs to transmit large media files, a capability available from any remote network. The EPSS score is not listed, and the vulnerability is not yet in the CISA KEV catalogue. As a result, the risk is high and the likelihood of exploitation is significant, especially in services that accept user uploaded media without additional infrastructure checks."}}}}, "created": "2026-03-23T09:51:25.916746+00:00", "updated": "2026-03-25T14:33:25.215708+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}