OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Active
User action required
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service
CVSS Vector v4.0
Weakness Type (CWE)
References 4
https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c36561116542…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-a…
disclosure@vulncheck.com