GHSA-4g5x-2jfc-xm98: openclaw: media download bypass exhausts disk storage
GHSA-4g5x-2jfc-xm98 MEDIUMThe openclaw AI agent framework allowed Tlon media downloads to bypass core safety controls — size limits, download count caps, and cleanup routines — in all versions through 2026.3.28, creating an availability-only resource exhaustion condition on agent hosts. While the maintainer assessed this as narrow/low impact with no data exfiltration or privilege escalation pathway, openclaw carries significant ecosystem risk with 37 CVEs in this package alone and a documented incident (AIID #1368) of malicious skills delivering credential-stealing malware through its plugin ecosystem — defenders should treat any openclaw exposure as higher-context risk than this single advisory suggests. There is no public exploit, EPSS data is unavailable, and this vulnerability is not in the CISA KEV catalog. Patch to version 2026.3.31 or later; if immediate patching is not feasible, apply OS-level disk quotas to the openclaw process and disable or restrict Tlon media integration as a short-term control.
What is the risk?
Low risk in isolation. The vulnerability is availability-only with no code execution, privilege escalation, or data exfiltration vector. No CVSS score has been assigned by NVD, EPSS is unavailable, and the maintainer explicitly assessed it as narrow impact. Risk is elevated by the broader openclaw package posture: 37 total CVEs and a prior incident of malicious skills distribution through its ecosystem suggest systemic supply chain concerns beyond this specific issue. Organizations running openclaw should audit their full plugin inventory, not just patch this individual advisory.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.3.28 | 2026.3.31 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch openclaw to version 2026.3.31 or later (fix commit: 2194587d70d2aef863508b945319c5a7c88b12ce).
-
If immediate patching is not possible, disable or restrict Tlon media download functionality at the application or network level.
-
Apply OS-level disk quotas to the user or process running openclaw as defense-in-depth.
-
Instrument disk utilization alerts on agent hosts and trigger on rapid growth.
-
Given openclaw's 37-CVE history and the AIID #1368 malicious-skills incident, audit all installed openclaw plugins and skills for legitimacy before resuming normal operation.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-4g5x-2jfc-xm98?
The openclaw AI agent framework allowed Tlon media downloads to bypass core safety controls — size limits, download count caps, and cleanup routines — in all versions through 2026.3.28, creating an availability-only resource exhaustion condition on agent hosts. While the maintainer assessed this as narrow/low impact with no data exfiltration or privilege escalation pathway, openclaw carries significant ecosystem risk with 37 CVEs in this package alone and a documented incident (AIID #1368) of malicious skills delivering credential-stealing malware through its plugin ecosystem — defenders should treat any openclaw exposure as higher-context risk than this single advisory suggests. There is no public exploit, EPSS data is unavailable, and this vulnerability is not in the CISA KEV catalog. Patch to version 2026.3.31 or later; if immediate patching is not feasible, apply OS-level disk quotas to the openclaw process and disable or restrict Tlon media integration as a short-term control.
Is GHSA-4g5x-2jfc-xm98 actively exploited?
No confirmed active exploitation of GHSA-4g5x-2jfc-xm98 has been reported, but organizations should still patch proactively.
How to fix GHSA-4g5x-2jfc-xm98?
1. Patch openclaw to version 2026.3.31 or later (fix commit: 2194587d70d2aef863508b945319c5a7c88b12ce). 2. If immediate patching is not possible, disable or restrict Tlon media download functionality at the application or network level. 3. Apply OS-level disk quotas to the user or process running openclaw as defense-in-depth. 4. Instrument disk utilization alerts on agent hosts and trigger on rapid growth. 5. Given openclaw's 37-CVE history and the AIID #1368 malicious-skills incident, audit all installed openclaw plugins and skills for legitimacy before resuming normal operation.
What systems are affected by GHSA-4g5x-2jfc-xm98?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin architectures.
What is the CVSS score for GHSA-4g5x-2jfc-xm98?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0029 Denial of AI Service AML.T0034.002 Agentic Resource Consumption Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Tlon media downloads can bypass core safety limits and exhaust disk ## Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 Tlon media downloads bypassed core size/count/cleanup limits, but this is availability-only resource exhaustion in a bundled plugin path, so low. ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.28` - Patched versions: `>= 2026.3.31` - First stable tag containing the fix: `v2026.3.31` ## Fix Commit(s) - `2194587d70d2aef863508b945319c5a7c88b12ce` — 2026-03-31T19:40:15+09:00 ## Release Process Note - The fix is already present in released version `2026.3.31`. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work. Thanks @AntAISecurityLab for reporting.
Exploitation Scenario
An attacker with access to a Tlon workspace monitored by an openclaw agent submits a sustained stream of large media files or a high volume of small files. Because affected versions bypass size limits, per-download count caps, and cleanup routines, each item is fetched and retained on disk without bound. Once disk is exhausted, the AI agent fails to operate, logging stops, and co-located services may crash. No special privileges are required beyond membership in the target Tlon workspace — the bar is trivially low for any insider or for an attacker who has compromised a Tlon workspace credential.
Weaknesses (CWE)
CWE-434 — Unrestricted Upload of File with Dangerous Type: The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
- [Architecture and Design] Generate a new, unique filename for an uploaded file instead of using the user-supplied filename, so that no external input is used at all.[REF-422] [REF-423]
- [Architecture and Design] When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw