CVE-2026-42437 - Vulnerability Details

- OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path

Description

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the voice-call realtime WebSocket path.

Published: 2026-05-05

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice‑call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the voice‑call realtime WebSocket path. The flaw is characterized by CWE‑770 and allows attackers to exhaust resources.

Affected Systems

OpenClaw 2026.4.9 and earlier releases before 2026.4.10 are affected. The products are listed under the OpenClaw vendor and the impacted version range is any release older than 2026.4.10. Future versions such as 2026.4.10 contain the public fix.

Risk and Exploitability

The CVSS score of 8.2 ranks the flaw as High, and the EPSS score of < 1% indicates a very low probability of exploitation. The flaw is not noted in the CISA KEV catalog. The likely attack vector is remote, with an adversary able to send malicious WebSocket frames over the network to a publicly exposed endpoint. Successful exploitation would cause denial of service for all users of the vulnerable deployment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenClaw

unaffected

Version	Status	Constraints
`2026.4.9`	affected	< 2026.4.10
`2026.4.10`	unaffected	—

No data.

Vendor Product Confidence Versions

Openclaw

95%

Version	Status	Scheme	Platform
`[2026.4.9,2026.4.10)`	affected	semver	—
`2026.4.10`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenClaw to version 2026.4.10 or later
If an upgrade is not immediately possible, restrict or disable the voice‑call webhook path in the application configuration
Implement a layer that validates the size of incoming WebSocket frames before they reach the application logic

Generated by OpenCVE AI on May 26, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vw3h-q6xq-jjm5	OpenClaw: Voice-call realtime WebSocket accepted oversized frames

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00417.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e
https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path

History

Tue, 26 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description	OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.	OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the voice-call realtime WebSocket path.

Tue, 05 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 05 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
Description		OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.
Title		OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path
First Time appeared		Openclaw Openclaw openclaw
Weaknesses		CWE-770
CPEs		cpe:2.3:a:openclaw:openclaw::::::node.js::*
Vendors & Products		Openclaw Openclaw openclaw
References		https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5 https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Openclaw Openclaw

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-05T11:24:55.977Z

Updated: 2026-05-26T11:52:19.047Z

Reserved: 2026-04-27T11:40:07.152Z

Link: CVE-2026-42437

Vulnrichment

Updated: 2026-05-05T12:19:59.400Z

NVD

Status : Deferred

Published: 2026-05-05T12:16:18.190

Modified: 2026-06-17T10:47:50.473

Link: CVE-2026-42437

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T16:00:11Z

Weaknesses

CWE-770
Allocation of Resources Without Limits or Throttling

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object