PT-2026-24672 · Npm+2 · @Openclaw/Voice-Call+2
Jiseoung
·
Published
2026-03-02
·
Updated
2026-05-26
·
CVE-2026-32062
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.22
@openclaw/voice-call versions prior to 2026.2.22
Description
OpenClaw and @openclaw/voice-call accept media-stream WebSocket upgrades before validating the stream, allowing unauthenticated clients to establish connections. This allows remote attackers to hold open pre-authenticated sockets, consuming connection resources and potentially degrading service availability for legitimate streams. Approximately 128,000 instances are potentially affected. The issue arises because the voice-call media-stream path upgraded sockets before running stream validation, creating a window where remote clients could hold idle sockets without call or token validation. The vulnerability can lead to a denial-of-service (DoS) condition by exhausting server resources.
Recommendations
OpenClaw versions prior to 2026.2.22 should be updated to version 2026.2.22.
@openclaw/voice-call versions prior to 2026.2.22 should be updated to version 2026.2.22.
Fix
DoS
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Openclaw/Voice-Call
Openclaw
Voice-Call