GHSA-4g5x-2jfc-xm98: openclaw: media download bypass exhausts disk storage

GHSA-4g5x-2jfc-xm98 MEDIUM
Published April 7, 2026
CISO Take

The openclaw AI agent framework allowed Tlon media downloads to bypass core safety controls — size limits, download count caps, and cleanup routines — in all versions through 2026.3.28, creating an availability-only resource exhaustion condition on agent hosts. While the maintainer assessed this as narrow/low impact with no data exfiltration or privilege escalation pathway, openclaw carries significant ecosystem risk with 37 CVEs in this package alone and a documented incident (AIID #1368) of malicious skills delivering credential-stealing malware through its plugin ecosystem — defenders should treat any openclaw exposure as higher-context risk than this single advisory suggests. There is no public exploit, EPSS data is unavailable, and this vulnerability is not in the CISA KEV catalog. Patch to version 2026.3.31 or later; if immediate patching is not feasible, apply OS-level disk quotas to the openclaw process and disable or restrict Tlon media integration as a short-term control.

Sources: GitHub Advisory ATLAS

What is the risk?

Low risk in isolation. The vulnerability is availability-only with no code execution, privilege escalation, or data exfiltration vector. No CVSS score has been assigned by NVD, EPSS is unavailable, and the maintainer explicitly assessed it as narrow impact. Risk is elevated by the broader openclaw package posture: 37 total CVEs and a prior incident of malicious skills distribution through its ecosystem suggest systemic supply chain concerns beyond this specific issue. Organizations running openclaw should audit their full plugin inventory, not just patch this individual advisory.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.3.28 2026.3.31
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps
  1. Patch openclaw to version 2026.3.31 or later (fix commit: 2194587d70d2aef863508b945319c5a7c88b12ce).

  2. If immediate patching is not possible, disable or restrict Tlon media download functionality at the application or network level.

  3. Apply OS-level disk quotas to the user or process running openclaw as defense-in-depth.

  4. Instrument disk utilization alerts on agent hosts and trigger on rapid growth.

  5. Given openclaw's 37-CVE history and the AIID #1368 malicious-skills incident, audit all installed openclaw plugins and skills for legitimacy before resuming normal operation.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.6.2 - AI system operational monitoring and control
NIST AI RMF
MANAGE 2.4 - Mechanisms to manage AI risks of all types
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-4g5x-2jfc-xm98?

The openclaw AI agent framework allowed Tlon media downloads to bypass core safety controls — size limits, download count caps, and cleanup routines — in all versions through 2026.3.28, creating an availability-only resource exhaustion condition on agent hosts. While the maintainer assessed this as narrow/low impact with no data exfiltration or privilege escalation pathway, openclaw carries significant ecosystem risk with 37 CVEs in this package alone and a documented incident (AIID #1368) of malicious skills delivering credential-stealing malware through its plugin ecosystem — defenders should treat any openclaw exposure as higher-context risk than this single advisory suggests. There is no public exploit, EPSS data is unavailable, and this vulnerability is not in the CISA KEV catalog. Patch to version 2026.3.31 or later; if immediate patching is not feasible, apply OS-level disk quotas to the openclaw process and disable or restrict Tlon media integration as a short-term control.

Is GHSA-4g5x-2jfc-xm98 actively exploited?

No confirmed active exploitation of GHSA-4g5x-2jfc-xm98 has been reported, but organizations should still patch proactively.

How to fix GHSA-4g5x-2jfc-xm98?

1. Patch openclaw to version 2026.3.31 or later (fix commit: 2194587d70d2aef863508b945319c5a7c88b12ce). 2. If immediate patching is not possible, disable or restrict Tlon media download functionality at the application or network level. 3. Apply OS-level disk quotas to the user or process running openclaw as defense-in-depth. 4. Instrument disk utilization alerts on agent hosts and trigger on rapid growth. 5. Given openclaw's 37-CVE history and the AIID #1368 malicious-skills incident, audit all installed openclaw plugins and skills for legitimacy before resuming normal operation.

What systems are affected by GHSA-4g5x-2jfc-xm98?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin architectures.

What is the CVSS score for GHSA-4g5x-2jfc-xm98?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksplugin architectures

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0029 Denial of AI Service
AML.T0034.002 Agentic Resource Consumption

Compliance Controls Affected

ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Summary Tlon media downloads can bypass core safety limits and exhaust disk ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 Tlon media downloads bypassed core size/count/cleanup limits, but this is availability-only resource exhaustion in a bundled plugin path, so low. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2194587d70d2aef863508b945319c5a7c88b12ce` — 2026-03-31T19:40:15+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting.

Exploitation Scenario

An attacker with access to a Tlon workspace monitored by an openclaw agent submits a sustained stream of large media files or a high volume of small files. Because affected versions bypass size limits, per-download count caps, and cleanup routines, each item is fetched and retained on disk without bound. Once disk is exhausted, the AI agent fails to operate, logging stops, and co-located services may crash. No special privileges are required beyond membership in the target Tlon workspace — the bar is trivially low for any insider or for an attacker who has compromised a Tlon workspace credential.

Weaknesses (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

  • [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
  • [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Source: MITRE CWE corpus.

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities