Vulnerability Description
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.14 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5daPatch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgcVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-urThird Party Advisory
- https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgcVendor Advisory
FAQ
What is CVE-2026-29609?
CVE-2026-29609 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote...
How severe is CVE-2026-29609?
CVE-2026-29609 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29609?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.