EUVD-2026-17431
GHSA-v2v2-f783-358j
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.
Analysis
Unauthenticated attackers can force OpenClaw versions before 2026.3.28 to download and store arbitrary media files through Zalo messaging channels, bypassing sender authorization checks. The flaw allows remote exploitation without authentication (CVSS 9.8 critical) to consume network bandwidth and storage resources. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all OpenClaw instances and document current versions; temporarily disable or restrict Zalo messaging channel integrations if version < 2026.3.28. Within 7 days: Apply vendor-released patch to version 2026.3.28 or later (commit 68ceaf7a5); validate patched instances in staging environment before production rollout. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today