AI Threat Alert AI Threat Alert

GHSA-4g5x-2jfc-xm98: openclaw: media download bypass exhausts disk storage

GHSA-4g5x-2jfc-xm98 MEDIUM
Published April 7, 2026
CISO Take

The openclaw AI agent framework allowed Tlon media downloads to bypass core safety controls — size limits, download count caps, and cleanup routines — in all versions through 2026.3.28, creating an availability-only resource exhaustion condition on agent hosts. While the maintainer assessed this as narrow/low impact with no data exfiltration or privilege escalation pathway, openclaw carries significant ecosystem risk with 37 CVEs in this package alone and a documented incident (AIID #1368) of malicious skills delivering credential-stealing malware through its plugin ecosystem — defenders should treat any openclaw exposure as higher-context risk than this single advisory suggests. There is no public exploit, EPSS data is unavailable, and this vulnerability is not in the CISA KEV catalog. Patch to version 2026.3.31 or later; if immediate patching is not feasible, apply OS-level disk quotas to the openclaw process and disable or restrict Tlon media integration as a short-term control.

Sources: GitHub Advisory ATLAS

Risk Assessment

Low risk in isolation. The vulnerability is availability-only with no code execution, privilege escalation, or data exfiltration vector. No CVSS score has been assigned by NVD, EPSS is unavailable, and the maintainer explicitly assessed it as narrow impact. Risk is elevated by the broader openclaw package posture: 37 total CVEs and a prior incident of malicious skills distribution through its ecosystem suggest systemic supply chain concerns beyond this specific issue. Organizations running openclaw should audit their full plugin inventory, not just patch this individual advisory.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.3.28 2026.3.31

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Patch openclaw to version 2026.3.31 or later (fix commit: 2194587d70d2aef863508b945319c5a7c88b12ce).
  2. If immediate patching is not possible, disable or restrict Tlon media download functionality at the application or network level.
  3. Apply OS-level disk quotas to the user or process running openclaw as defense-in-depth.
  4. Instrument disk utilization alerts on agent hosts and trigger on rapid growth.
  5. Given openclaw's 37-CVE history and the AIID #1368 malicious-skills incident, audit all installed openclaw plugins and skills for legitimacy before resuming normal operation.

Classification

DoS Agent Plugin AML.T0010.005 AML.T0029 AML.T0034.002

Compliance Impact

This CVE is relevant to:

ISO 42001
A.6.2 - AI system operational monitoring and control
NIST AI RMF
MANAGE 2.4 - Mechanisms to manage AI risks of all types
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Technical Details

NVD Description

## Summary Tlon media downloads can bypass core safety limits and exhaust disk ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 Tlon media downloads bypassed core size/count/cleanup limits, but this is availability-only resource exhaustion in a bundled plugin path, so low. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2194587d70d2aef863508b945319c5a7c88b12ce` — 2026-03-31T19:40:15+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting.

Exploitation Scenario

An attacker with access to a Tlon workspace monitored by an openclaw agent submits a sustained stream of large media files or a high volume of small files. Because affected versions bypass size limits, per-download count caps, and cleanup routines, each item is fetched and retained on disk without bound. Once disk is exhausted, the AI agent fails to operate, logging stops, and co-located services may crash. No special privileges are required beyond membership in the target Tlon workspace — the bar is trivially low for any insider or for an attacker who has compromised a Tlon workspace credential.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed