CVE-2026-29612
Published: 05 March 2026
Summary
CVE-2026-29612 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local DoS via unbounded base64 media decode causing excessive memory allocation directly enables application/system exploitation for endpoint denial of service (T1499.004).
NVD Description
OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.
Deeper analysisAI
CVE-2026-29612, published on 2026-03-05, affects OpenClaw versions prior to 2026.2.14. The vulnerability arises because the software decodes base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact.
A local attacker with low privileges can exploit this vulnerability by supplying oversized base64 payloads as media inputs. Although the description references remote attackers, the CVSS vector specifies local access (AV:L). Successful exploitation leads to memory pressure and denial of service through excessive resource consumption.
Mitigation is addressed in the referenced advisories and patch. The GitHub commit at https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595 fixes the decoding logic to enforce size limits prior to allocation. The OpenClaw security advisory (https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg) and VulnCheck advisory (https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding) recommend upgrading to OpenClaw version 2026.2.14 or later.
Details
- CWE(s)