PT-2026-32068 · Npm · Openclaw

Published

2026-03-31

·

Updated

2026-03-31

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary

The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget.

Impact

An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients.

Affected Component

src/gateway/server-http.ts, src/gateway/server/preauth-connection-budget.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit cb5f7e201f (gateway: cap concurrent pre-auth websocket upgrades).
Discovered by:Topsec AlphaLab (wang dong)

Fix

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

GHSA-F44P-C7W9-7XR7

Affected Products

Openclaw