Vulnerability Report

CVE-2026-29609

Title: Denial of Service in fetchWithGuard

DoS

Proof Of Concept

No public PoC currently indexed for CVE-2026-29609.

CWE Category CWE-770

Published Date Mar 05, 2026

Modified Date Mar 11, 2026

Exploit Status Not Found

Score 8.7 CVSS v4.0

Exploit Probability (EPSS)

0.43%

Vulnerability Summary

CVE-2026-29609: OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.

Impacted Vendors

openclaw 1

Reference Links

https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0 https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-url-backed-media-fetch

CVSS v4.0

Source Entity [email protected]

Severity HIGH

8.7

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1