CVE-2026-32049: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
(updated )
OpenClaw did not consistently enforce configured inbound media byte limits before buffering remote media in several channel ingestion paths. A remote sender could trigger oversized downloads and memory pressure before rejection.
References
- github.com/advisories/GHSA-rxxp-482v-7mrh
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c
- github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh
- nvd.nist.gov/vuln/detail/CVE-2026-32049
- www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass
Code Behaviors & Features
Detect and mitigate CVE-2026-32049 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →