CVE-2026-32062

OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j	Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openclaw:openclaw::::::node.js::*
	cpe:2.3:a:openclaw:openclaw\/voice-call::::::node.js::*

History

26 May 2026, 14:16

Type	Values Removed	Values Added
Summary	(en) OpenClaw versions 2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.	(en) OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.

12 May 2026, 02:16

Type	Values Removed	Values Added
Summary	(en) OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.	(en) OpenClaw versions 2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.

26 Mar 2026, 12:48

Type	Values Removed	Values Added
First Time		Openclaw openclaw Openclaw openclaw\/voice-call Openclaw
Summary		(es) Versiones de OpenClaw 2026.2.21-2 anteriores a la 2026.2.22 y versiones de @openclaw/voice-call 2026.2.21 anteriores a la 2026.2.22 aceptan actualizaciones de WebSocket de flujo de medios antes de la validación del flujo, permitiendo a clientes no autenticados establecer conexiones. Atacantes remotos pueden mantener sockets preautenticados inactivos abiertos para consumir recursos de conexión y degradar la disponibilidad del servicio para flujos legítimos.
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::* cpe:2.3:a:openclaw:openclaw\/voice-call::::::node.js::*
References	~~() https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794 -~~	() https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j - Mitigation, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream -~~	() https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream - Third Party Advisory

11 Mar 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 14:16

Updated : 2026-05-26 14:16

NVD link : CVE-2026-32062

Mitre link : CVE-2026-32062

CVE.ORG link : CVE-2026-32062

JSON object : View

Products Affected

openclaw

openclaw\/voice-call
openclaw

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10