Description
OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.
Published: 2026-05-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the WebSocket handling of the Voice‑call realtime route, where incoming frames are accepted without length checks. An attacker could send a frame that exceeds the expected size, causing resource exhaustion and rendering the service unresponsive. The primary impact is that users of deployments exposing this webhook path cannot place or receive voice calls while the service is compromised. The weakness is captured by CWE‑770, indicating an excessive resource consumption flaw.

Affected Systems

OpenClaw 2026.4.9 and earlier releases before 2026.4.10 are affected. The products are listed under the OpenClaw vendor and the impacted version range is any release older than 2026.4.10. Future versions such as 2026.4.10 contain the public fix.

Risk and Exploitability

The CVSS score of 8.2 ranks the flaw as High and the lack of a publicly available EPSS score leaves the exact exploit probability unknown. The flaw is not noted in the CISA KEV catalog. The likely attack vector is remote, with an adversary able to send malicious WebSocket frames over the network to a publicly exposed endpoint. Successful exploitation would cause denial of service for all users of the vulnerable deployment.

Generated by OpenCVE AI on May 5, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.10 or later
  • If an upgrade is not immediately possible, restrict or disable the voice‑call webhook path in the application configuration
  • Implement a layer that validates the size of incoming WebSocket frames before they reach the application logic

Generated by OpenCVE AI on May 5, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vw3h-q6xq-jjm5 OpenClaw: Voice-call realtime WebSocket accepted oversized frames
History

Tue, 05 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.
Title OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-770
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T12:20:06.090Z

Reserved: 2026-04-27T11:40:07.152Z

Link: CVE-2026-42437

cve-icon Vulnrichment

Updated: 2026-05-05T12:19:59.400Z

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:18.190

Modified: 2026-05-05T12:16:18.190

Link: CVE-2026-42437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T12:30:24Z

Weaknesses