CVE-2026-32062
📋 TL;DR
OpenClaw and its voice-call component accept WebSocket connections for media streams before validating authentication, allowing unauthenticated remote attackers to establish idle connections. This resource exhaustion vulnerability can degrade service availability for legitimate users by consuming connection resources. Affects OpenClaw versions 2026.2.21-2 and earlier, and @openclaw/voice-call versions 2026.2.21 and earlier.
💻 Affected Systems
- OpenClaw
- @openclaw/voice-call
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service degradation or denial of service for legitimate media streams due to connection resource exhaustion, potentially disrupting voice communication services.
Likely Case
Degraded performance and intermittent service disruptions for legitimate users as connection pools become saturated with idle attacker-controlled sockets.
If Mitigated
Minimal impact with proper rate limiting, connection timeouts, and authentication validation in place before WebSocket upgrades.
🎯 Exploit Status
Exploitation requires only establishing WebSocket connections without authentication. No special tools or complex techniques needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenClaw: 2026.2.22; @openclaw/voice-call: 2026.2.22
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j
Restart Required: Yes
Instructions:
1. Update OpenClaw to version 2026.2.22 or later. 2. Update @openclaw/voice-call to version 2026.2.22 or later. 3. Restart the application/service. 4. Verify the fix by checking version and testing authentication requirements.
🔧 Temporary Workarounds
Implement WebSocket connection rate limiting
allLimit the number of WebSocket connections per IP address to prevent resource exhaustion attacks.
# Configure in application or use reverse proxy like nginx
# nginx example: limit_conn_zone $binary_remote_addr zone=ws_limit:10m;
# limit_conn ws_limit 10;
Add authentication validation before WebSocket upgrade
allModify application logic to validate authentication tokens before accepting WebSocket upgrade requests.
// Application code modification required
// Validate auth token before ws.upgrade()
🧯 If You Can't Patch
- Implement network-level WebSocket connection limits using firewalls or load balancers.
- Deploy the service behind a reverse proxy with connection limiting and timeout enforcement.
🔍 How to Verify
Check if Vulnerable:
Check if WebSocket connections can be established without valid authentication tokens for media streams.Check Version:
npm list openclaw @openclaw/voice-callVerify Fix Applied:
Attempt to establish WebSocket connections without authentication - should be rejected. Verify version is 2026.2.22 or later.📡 Detection & Monitoring
Log Indicators:
- High volume of WebSocket connection attempts from single IPs
- WebSocket connections established without authentication logs
- Connection pool exhaustion warnings
Network Indicators:
- Unusual spike in WebSocket traffic
- Multiple WebSocket handshakes without subsequent data transfer
- Sustained idle WebSocket connections
SIEM Query:
source="websocket.log" AND (event="connection" OR event="upgrade") | stats count by src_ip | where count > threshold