CVE-2026-29612
📋 TL;DR
OpenClaw versions before 2026.2.14 have a memory allocation vulnerability where base64-encoded media files are fully decoded before size limits are enforced. Attackers can send specially crafted large base64 payloads to cause excessive memory consumption, leading to denial of service. This affects all systems running vulnerable OpenClaw versions that process base64 media inputs.
💻 Affected Systems
- OpenClaw
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion, potentially causing system crashes or requiring restarts.
Likely Case
Degraded performance, service instability, and temporary denial of service affecting application availability.
If Mitigated
Minimal impact with proper memory limits and monitoring in place; potential performance degradation but no service disruption.
🎯 Exploit Status
Exploitation requires sending large base64 payloads to vulnerable endpoints; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.14
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg
Restart Required: Yes
Instructions:
1. Update OpenClaw to version 2026.2.14 or later. 2. Restart the OpenClaw service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Implement input size validation
allAdd size validation for base64 inputs before decoding to limit memory allocation.
Configure application to reject base64 payloads exceeding reasonable size limits before decoding.
Rate limiting
allImplement rate limiting on endpoints accepting base64 media inputs.
Configure rate limiting rules for media processing endpoints.
🧯 If You Can't Patch
- Implement strict input validation to reject oversized base64 payloads before processing.
- Deploy memory monitoring and alerting to detect abnormal memory consumption patterns.
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version; if version is earlier than 2026.2.14, system is vulnerable.Check Version:
openclaw --versionVerify Fix Applied:
Verify OpenClaw version is 2026.2.14 or later and test with controlled base64 payloads.📡 Detection & Monitoring
Log Indicators:
- Unusually large base64 payloads in request logs
- Memory allocation errors or warnings
- Service restart events
Network Indicators:
- Large base64 payloads in HTTP POST/PUT requests to media endpoints
- Spike in memory usage correlated with specific requests
SIEM Query:
source="openclaw.log" AND (message="*memory allocation*" OR message="*base64*" AND size>1000000)