Description
OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network attackers can exhaust socket and worker capacity to disrupt WebSocket availability for legitimate clients.
Published: 2026-04-28
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

OpenClaw before version 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without allocating a pre‑authentication budget. This flaw allows attackers who can reach the WebSocket endpoint over the network to open a large number of upgrade requests, exhausting socket and worker capacity. As a result, legitimate clients lose availability of the WebSocket service. The weakness is a classic example of unbounded resource allocation (CWE-770).

Affected Systems

The vulnerability affects all OpenClaw installations running versions earlier than 2026.3.28. The product was identified by the CNA as "OpenClaw:OpenClaw" and is implemented in a Node.js environment. No other versions or product variants are listed as affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity and the lack of a pre‑authentication budget increases both the attack surface and the potential impact. While the EPSS score is not available, the absence of this metric does not diminish the high impact of the flaw. The vulnerability is not listed in the CISA KEV catalog, but its high CVSS rating and the fact that attackers can trigger it from the network without authentication make it highly actionable. Attackers would target the WebSocket endpoint to launch a denial of Service by flooding the server with upgrade requests, leading to legitimate client disconnection or degraded service.

Generated by OpenCVE AI on April 28, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or later.
  • If an immediate upgrade is not possible, restrict incoming WebSocket connections to trusted IP ranges or apply a rate limiter to limit concurrent upgrade requests from unauthenticated clients.
  • Monitor the WebSocket traffic for sudden spikes in upgrade requests and configure alerts for when thresholds are exceeded.

Generated by OpenCVE AI on April 28, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network attackers can exhaust socket and worker capacity to disrupt WebSocket availability for legitimate clients.
Title OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T12:51:43.432Z

Reserved: 2026-04-20T14:15:22.222Z

Link: CVE-2026-41399

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:43.420

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses