AI Threat Alert AI Threat Alert

GHSA-ccx3-fw7q-rr2r: openclaw: base64 pre-alloc bypass causes resource exhaustion

GHSA-ccx3-fw7q-rr2r MEDIUM
Published April 9, 2026
CISO Take

OpenClaw's npm package contains multiple base64 decode paths that allocate memory before enforcing decoded-size limits (CWE-770), enabling resource exhaustion in this local AI assistant. While the advisory explicitly scopes this to a local, non-multi-tenant trust model with no EPSS data, no public exploit, and no KEV designation, the 60 prior CVEs on this package and the documented malicious skills ecosystem (AIID #1368, ~17% malicious skills reported in Feb 2026) signal a historically vulnerable codebase that warrants prioritized patching. Upgrade to version 2026.4.8 — verified against targeted regression tests at commit d7c3210 — and audit any third-party ClawHub skills already installed.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall. CWE-770 without enforced decoded-size limits can cause denial-of-service in affected OpenClaw instances through crafted base64 input. The advisory explicitly limits scope to a local, user-controlled environment, reducing blast radius compared to a server-side or multi-tenant deployment. No active exploitation is observed, and no public exploit or scanner template exists. However, OpenClaw's demonstrated third-party skill ecosystem abuse (AIID #1368) provides a realistic delivery vector, and the package's history of 60 CVEs is a structural quality signal that elevates the practical risk above what the medium CVSS label alone implies.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm < 2026.4.8 2026.4.8

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

  1. Upgrade openclaw (npm) to 2026.4.8 immediately — verify with `npm list openclaw`.
  2. Pin the fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in any CI/CD pipelines that lock dependencies by hash.
  3. If patching is not immediately feasible, restrict or disable third-party skill installation from ClawHub to reduce the primary delivery vector.
  4. Monitor for anomalous memory consumption or process crashes in OpenClaw as a detection signal for exploitation attempts.
  5. Audit all currently installed skills for provenance — given AIID #1368 findings, treat any skill not sourced from a verified publisher as untrusted input.
  6. Track future advisories from @zsxsoft and @KeenSecurityLab who discovered this class of issue.

Classification

DoS Supply Chain Agent Plugin AML.T0010.005 AML.T0011.002 AML.T0029 AML.T0034.002

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.1 - AI System Objectives and Design
NIST AI RMF
MANAGE 2.2 - Risk Treatment
OWASP LLM Top 10
LLM04 - Model Denial of Service

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents exploitation of OpenClaw's third-party ClawHub skills ecosystem to deliver AMOS stealer malware — the same skill delivery channel that could carry base64 payloads triggering this resource exhaustion vulnerability. Both share the malicious skill supply chain as primary attack surface, and the DoS condition from this CVE could serve as a distraction layer in a composite attack.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is GHSA-ccx3-fw7q-rr2r?

OpenClaw's npm package contains multiple base64 decode paths that allocate memory before enforcing decoded-size limits (CWE-770), enabling resource exhaustion in this local AI assistant. While the advisory explicitly scopes this to a local, non-multi-tenant trust model with no EPSS data, no public exploit, and no KEV designation, the 60 prior CVEs on this package and the documented malicious skills ecosystem (AIID #1368, ~17% malicious skills reported in Feb 2026) signal a historically vulnerable codebase that warrants prioritized patching. Upgrade to version 2026.4.8 — verified against targeted regression tests at commit d7c3210 — and audit any third-party ClawHub skills already installed.

Is GHSA-ccx3-fw7q-rr2r actively exploited?

No confirmed active exploitation of GHSA-ccx3-fw7q-rr2r has been reported, but organizations should still patch proactively.

How to fix GHSA-ccx3-fw7q-rr2r?

1. Upgrade openclaw (npm) to 2026.4.8 immediately — verify with `npm list openclaw`. 2. Pin the fixed commit (d7c3210cd6f5fdfdc1beff4c9541673e814354d5) in any CI/CD pipelines that lock dependencies by hash. 3. If patching is not immediately feasible, restrict or disable third-party skill installation from ClawHub to reduce the primary delivery vector. 4. Monitor for anomalous memory consumption or process crashes in OpenClaw as a detection signal for exploitation attempts. 5. Audit all currently installed skills for provenance — given AIID #1368 findings, treat any skill not sourced from a verified publisher as untrusted input. 6. Track future advisories from @zsxsoft and @KeenSecurityLab who discovered this class of issue.

What systems are affected by GHSA-ccx3-fw7q-rr2r?

This vulnerability affects the following AI/ML architecture patterns: local AI assistants, agent frameworks, AI tool plugin/skills ecosystems.

What is the CVSS score for GHSA-ccx3-fw7q-rr2r?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Impact Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Several base64 decode paths could allocate before enforcing decoded-size limits. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<=v2026.4.2` - Patched versions: `2026.4.8` ## Fix The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`. ## Verification The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary. ## Credits Thanks @zsxsoft and @KeenSecurityLab for reporting.

Exploitation Scenario

An adversary publishes a malicious skill to ClawHub containing a crafted base64-encoded payload sized to exploit the missing pre-allocation size check. When a user installs and invokes the skill, OpenClaw's decode path allocates memory proportional to the crafted payload before the size limit check executes, exhausting available memory. In a targeted scenario consistent with AIID #1368, this DoS condition serves as a smokescreen — the memory exhaustion crash disrupts the assistant while a co-delivered malicious payload (e.g., an infostealer) executes in the background to exfiltrate session tokens, browser credentials, or API keys stored locally.

Weaknesses (CWE)

CWE-770 Allocation of Resources Without Limits or Throttling Primary

References

Timeline

Published
April 9, 2026
Last Modified
April 9, 2026
First Seen
April 9, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed