Summary
OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.
Affected Packages / Versions
- Package:
openclaw (npm)
- Affected versions:
<= 2026.2.21-2 (latest published at triage time)
- Fixed in:
2026.2.22 (planned next release)
Impact
An attacker could cause elevated memory usage and potential process instability (denial of service) by sending oversized media payloads.
Fix Commit(s)
73d93dee64127a26f1acd09d0403b794cdeb4f5c
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.22). After that npm release is published, this advisory can be published without further version-field edits.
OpenClaw thanks @tdjackey for reporting.
References
tdjackey Reporter
Summary
OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.
Affected Packages / Versions
openclaw(npm)<= 2026.2.21-2(latest published at triage time)2026.2.22(planned next release)Impact
An attacker could cause elevated memory usage and potential process instability (denial of service) by sending oversized media payloads.
Fix Commit(s)
73d93dee64127a26f1acd09d0403b794cdeb4f5cRelease Process Note
patched_versionsis pre-set to the planned next release (2026.2.22). After that npm release is published, this advisory can be published without further version-field edits.OpenClaw thanks @tdjackey for reporting.
References