CVE-2026-41408 | THREATINT

Description

OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-28 | Updated 2026-04-29 | Assigner VulnCheck

LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

Default status

unaffected

Any version before 2026.3.31

affected

2026.3.31 (semver)

unaffected

Credits

AntAISecurityLab reporter

References

github.com/...enclaw/security/advisories/GHSA-4g5x-2jfc-xm98 (GitHub Security Advisory (GHSA-4g5x-2jfc-xm98)) vendor-advisory

github.com/...ommit/2194587d70d2aef863508b945319c5a7c88b12ce (Patch Commit) patch

www.vulncheck.com/...sk-exhaustion-via-media-download-bypass (VulnCheck Advisory: OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass) third-party-advisory

cve.org (CVE-2026-41408)

nvd.nist.gov (CVE-2026-41408)

Download JSON