CVE-2026-28452
MEDIUM EPSS 23.6%
Published Mar 5, 20263mo ago · Modified Jun 17, 20261w ago
6.7 CVSS 4.0
Published Mar 5, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago
Description
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X
Threat Intelligence
EPSS Exploit Probability
23.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-770
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| openclaw | openclaw | * | <2026.2.14 |
References 4
- github.com https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea
- github.com https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71
- github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj
- vulncheck.com https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive
Remediation
- github.com https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea
- github.com https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71
- github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj