CVE-2026-32062

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22 @openclaw/voice-call versions prior to 2026.2.22

Description OpenClaw and @openclaw/voice-call accept media-stream WebSocket upgrades before validating the stream, allowing unauthenticated clients to establish connections. This allows remote attackers to hold open pre-authenticated sockets, consuming connection resources and potentially degrading service availability for legitimate streams. Approximately 128,000 instances are potentially affected. The issue arises because the voice-call media-stream path upgraded sockets before running stream validation, creating a window where remote clients could hold idle sockets without call or token validation. The vulnerability can lead to a denial-of-service (DoS) condition by exhausting server resources.

Recommendations OpenClaw versions prior to 2026.2.22 should be updated to version 2026.2.22. @openclaw/voice-call versions prior to 2026.2.22 should be updated to version 2026.2.22.