CVE-2026-29609 in OpenClaw
Summary
by MITRE • 03/06/2026
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/10/2026
The vulnerability identified as CVE-2026-29609 affects OpenClaw versions prior to 2026.2.14 and represents a critical denial of service weakness that undermines system availability through improper memory management. This flaw exists within the fetchWithGuard function which handles HTTP response processing, creating a scenario where the system allocates full response payloads in memory before applying any size restrictions. The vulnerability manifests when remote attackers exploit the absence of content-length headers in HTTP responses, enabling them to serve oversized payloads that exhaust available memory resources.
The technical implementation of this vulnerability stems from a fundamental design flaw in how memory allocation occurs within the fetchWithGuard function. According to CWE-400, this represents a weakness in resource management where the system fails to properly constrain resource consumption during data processing. The function allocates memory for entire response payloads without first validating against established maximum byte limits, creating a scenario where memory exhaustion becomes inevitable when processing oversized responses. This design flaw directly violates the principle of resource limiting and proper input validation that should be implemented in all network-facing applications.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire system availability. When exploited, attackers can trigger memory exhaustion conditions that cause the application to crash or become unresponsive, effectively denying legitimate users access to services. The vulnerability is particularly dangerous because it can be triggered remotely without requiring authentication, making it an attractive target for automated attacks. The absence of content-length headers in HTTP responses allows attackers to bypass normal size validation mechanisms, as the system cannot determine the actual payload size before full allocation occurs.
The attack vector for this vulnerability aligns with several techniques documented in the ATT&CK framework under the T1499 category for network denial of service attacks. Remote exploitation occurs through HTTP response manipulation where attackers craft malicious responses that appear legitimate but contain oversized data payloads. The vulnerability's exploitation is facilitated by the lack of proper input sanitization and resource limiting controls, which are essential defensive measures against such attacks. System administrators may not immediately recognize the attack due to the subtle nature of memory exhaustion compared to more obvious service disruptions.
Mitigation strategies for this vulnerability must address both the immediate code-level fixes and broader architectural improvements. The primary solution involves implementing proper size validation before memory allocation occurs within the fetchWithGuard function, ensuring that maxBytes limits are enforced prior to payload processing. This aligns with security best practices outlined in OWASP Top Ten and NIST cybersecurity guidelines for preventing resource exhaustion attacks. Organizations should also implement rate limiting and connection pooling mechanisms to prevent single attackers from exhausting system resources. Additionally, upgrading to OpenClaw version 2026.2.14 or later resolves the vulnerability through proper memory management controls and enhanced input validation. Network-level protections such as intrusion detection systems and firewalls can provide additional defense-in-depth measures, though they cannot prevent the vulnerability at its source. Regular security auditing and monitoring of memory consumption patterns should be implemented to detect potential exploitation attempts before they cause significant service disruption.