CVE-2026-35633 MEDIUM

CVE-2026-35633: OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses

Vendor Openclaw
Product OpenClaw
Weakness CWE-789
Published April 9, 2026
Last update April 14, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 14, 2026 Record updated