Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32062

OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
Back to all
CVE

CVE-2026-32062

OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure

Summary

@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.

Affected Packages / Versions

  • openclaw (npm): vulnerable <= 2026.2.21-2, patched in 2026.2.22.
  • @openclaw/voice-call (npm): vulnerable <= 2026.2.21, patched in 2026.2.22.

Technical Details

Before this fix, the voice-call media-stream path upgraded sockets first and ran shouldAcceptStream() after a later start frame. This created a pre-auth window where remote clients could hold idle sockets without call/token validation.

Impact

Availability risk in deployments where the media-stream endpoint is reachable and streaming is enabled. Under sustained abuse, this could consume connection-related resources and degrade service for legitimate streams.

Remediation

The fix adds layered controls in the media-stream path:

  • strict pre-start timeout (close sockets that do not send a valid start frame quickly)
  • global pending-connection cap
  • per-IP pending-connection cap
  • total open media-stream connection cap
  • safer upgrade-path parsing in the webhook server

Fix Commit(s)

  • 1d8968c8a821ff1a05c294a1846b3bcb6f343794

Release Process Note

patched_versions is pre-set to 2026.2.22 so this advisory is ready to publish once npm openclaw@2026.2.22 and @openclaw/voice-call@2026.2.22 are released.

OpenClaw thanks @jiseoung for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j, https://nvd.nist.gov/vuln/detail/CVE-2026-32062, https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00136%
EPSS Percentile
0.3308%
Introduced Version
0
Fix Available
2026.2.22

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading