CVE-2026-41408 Overview
CVE-2026-41408 is a resource exhaustion vulnerability affecting OpenClaw versions prior to 2026.3.31. The vulnerability exists in the media downloads functionality, where attackers can bypass core safety limits for file size, count, and cleanup operations. By exploiting this flaw, an attacker can exhaust disk space through unrestricted media file downloads without triggering the intended safety restrictions, resulting in denial of service through availability impact.
Critical Impact
Authenticated attackers can exhaust disk space on affected systems by downloading unlimited media files, bypassing file size and count restrictions, potentially causing service disruption.
Affected Products
- OpenClaw versions prior to 2026.3.31
Discovery Timeline
- 2026-04-28 - CVE-2026-41408 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-41408
Vulnerability Analysis
This vulnerability is classified under CWE-770: Allocation of Resources Without Limits or Throttling. The core issue lies in the media download handler within OpenClaw's Tlon extension, which failed to enforce proper restrictions on inbound media downloads. Prior to the fix, the application used stream-based downloads without implementing the centralized media runtime safety controls, allowing attackers to bypass file size limits, file count restrictions, and cleanup mechanisms.
The vulnerability requires network access and authenticated privileges to exploit. While the availability impact is limited in scope, persistent abuse could lead to disk exhaustion on systems hosting OpenClaw instances, particularly in environments with constrained storage resources.
Root Cause
The root cause stems from the direct use of raw stream-based file operations (createWriteStream, pipeline) for media downloads instead of leveraging OpenClaw's centralized media runtime SDK. The original implementation in extensions/tlon/src/monitor/media.ts bypassed the built-in safety controls provided by openclaw/plugin-sdk/media-runtime, which includes MAX_IMAGE_BYTES limits and proper resource management.
Attack Vector
The attack vector is network-based and requires authenticated access. An attacker with valid credentials can initiate multiple media download requests that bypass the intended safety restrictions. The absence of file count limits (MAX_IMAGES_PER_MESSAGE) and download timeouts (TLON_MEDIA_DOWNLOAD_IDLE_TIMEOUT_MS) in the vulnerable code path allows attackers to:
- Download arbitrarily large media files exceeding intended size limits
- Download an unlimited number of images per message
- Keep download connections open indefinitely without timeout controls
Detection Methods for CVE-2026-41408
Indicators of Compromise
- Unusual disk space consumption in the .openclaw/workspace/media/inbound directory
- High volume of media download requests from authenticated users
- Stalled or long-running download connections exceeding 30 seconds
Detection Strategies
- Monitor disk usage on systems running OpenClaw, particularly the media storage directories
- Implement alerting for rapid growth in stored media files or directory sizes
- Review application logs for excessive media download activity from individual accounts
Monitoring Recommendations
- Set up disk space threshold alerts for OpenClaw server storage volumes
- Monitor network connections for unusually long download sessions
- Track per-user media download volume and frequency metrics
How to Mitigate CVE-2026-41408
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.31 or later immediately
- Review disk usage on affected systems and clean up excessive media files if necessary
- Monitor for signs of exploitation while planning the upgrade
Patch Information
The vulnerability was addressed in commit 2194587d70d2aef863508b945319c5a7c88b12ce. The fix refactors the media download handler to use OpenClaw's centralized media runtime SDK with proper safety controls:
import { randomUUID } from "node:crypto";
-import { createWriteStream } from "node:fs";
-import { mkdir } from "node:fs/promises";
-import { homedir } from "node:os";
+import { mkdir, writeFile } from "node:fs/promises";
import * as path from "node:path";
-import { Readable } from "node:stream";
-import { pipeline } from "node:stream/promises";
-import { fetchWithSsrFGuard } from "../../runtime-api.js";
+import {
+ fetchRemoteMedia,
+ MAX_IMAGE_BYTES,
+ saveMediaBuffer,
+} from "openclaw/plugin-sdk/media-runtime";
import { getDefaultSsrFPolicy } from "../urbit/context.js";
-// Default to OpenClaw workspace media directory
-const DEFAULT_MEDIA_DIR = path.join(homedir(), ".openclaw", "workspace", "media", "inbound");
+const MAX_IMAGES_PER_MESSAGE = 8;
+const TLON_MEDIA_DOWNLOAD_IDLE_TIMEOUT_MS = 30_000;
export interface ExtractedImage {
url: string;
Source: GitHub Commit Update
The patch introduces:
- MAX_IMAGE_BYTES - Enforces file size limits through the media runtime
- MAX_IMAGES_PER_MESSAGE - Caps inbound image downloads to 8 per message
- TLON_MEDIA_DOWNLOAD_IDLE_TIMEOUT_MS - Implements a 30-second idle timeout for downloads
Workarounds
- Implement disk quota limits at the filesystem or container level for OpenClaw deployments
- Configure external rate limiting on media download endpoints at the reverse proxy or load balancer
- Monitor and alert on disk usage to detect exploitation attempts before service impact
For additional details, see the GitHub Security Advisory GHSA-4g5x-2jfc-xm98 and the VulnCheck Advisory on Openclaw.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
