PT-2026-32068 · Npm · Openclaw

Publicado

2026-03-31

·

Atualizado

2026-03-31

CVSS v4.0

5.3

Média

VetorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget.

Impact

An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients.

Affected Component

src/gateway/server-http.ts, src/gateway/server/preauth-connection-budget.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit cb5f7e201f (gateway: cap concurrent pre-auth websocket upgrades).
Discovered by:Topsec AlphaLab (wang dong)

Correção

Allocation of Resources Without Limits

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770CWE-400

Identificadores relacionados

GHSA-F44P-C7W9-7XR7

Produtos afetados

Openclaw