CVE
CVE-2026-41399
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades
Summary
The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget.
Impact
An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients.
Affected Component
src/gateway/server-http.ts, src/gateway/server/preauth-connection-budget.ts
Fixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit cb5f7e201f (gateway: cap concurrent pre-auth websocket upgrades).
Discovered by:Topsec AlphaLab (wang dong)
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7, https://github.com/openclaw/openclaw/commit/cb5f7e201f3f86ad70e199ef850e636b4cc457ba, https://github.com/openclaw/openclaw
Basic Information
Ecosystem
