CVE-2026-32062 | THREATINT

Description

OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-11 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Allocation of Resources Without Limits or Throttling

Product status

Default status

unaffected

2026.2.21-2 (semver) before 2026.2.22

affected

2026.2.22 (semver)

unaffected

2026.2.21

affected

2026.2.22

affected

Credits

@jiseoung reporter

References

github.com/...enclaw/security/advisories/GHSA-mfg5-7q5g-f37j (GitHub Security Advisory (GHSA-mfg5-7q5g-f37j)) vendor-advisory

github.com/...ommit/1d8968c8a821ff1a05c294a1846b3bcb6f343794 (Patch Commit) patch

www.vulncheck.com/...et-resource-exhaustion-via-media-stream (VulnCheck Advisory: OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream) third-party-advisory

cve.org (CVE-2026-32062)

nvd.nist.gov (CVE-2026-32062)

Download JSON