Moderate severityNVD Advisory· Published Mar 5, 2026· Updated Mar 9, 2026
OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive
CVE-2026-28452
Description
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.14 | 2026.2.14 |
clawdbotnpm | <= 2026.1.24-3 | — |
Affected products
3- ghsa-coords2 versions
<= 2026.1.24-3+ 1 more
- (no CPE)range: <= 2026.1.24-3
- (no CPE)range: < 2026.2.14
Patches
Vulnerability mechanics
References
7- github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdeaghsapatchWEB
- github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71ghsapatchWEB
- github.com/advisories/GHSA-h89v-j3x9-8wqjghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqjghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-28452ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchiveghsathird-party-advisoryWEB
- github.com/openclaw/openclaw/releases/tag/v2026.2.14ghsaWEB
News mentions
0No linked articles in our index yet.