CVE-2026-35633HIGHCVSS 0.0

OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure

Published Mar 26, 2026·Updated Jul 1, 2026

Description

## Summary Remote media HTTP error bodies were read without a hard size cap before failure handling, allowing unbounded allocation on error responses. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Fix Commit(s) - `81445a901091a5d27ef0b56fceedbe4724566438` ## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`. ## Code-Level Confirmation - src/media/fetch.ts now routes non-2xx failures through bounded prefix reads instead of buffering the whole error body. - src/media/read-response-with-limit.ts enforces capped reads and truncates oversized snippets before surfacing failure text. OpenClaw thanks @YLChen-007 for reporting.

Affected Packages (1)

openclawNPM
Fixed in 2026.3.22

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free