CVE-2026-32062 in OpenClawinfo

Summary

by MITRE • 03/11/2026

OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/27/2026

The vulnerability identified as CVE-2026-32062 affects OpenClaw software versions 2026.2.21-2 and earlier, as well as @openclaw/voice-call versions 2026.2.21 and earlier, specifically within the WebSocket communication framework that handles media streams. This issue represents a critical flaw in the authentication and authorization process where the system accepts WebSocket upgrade requests for media streams before performing proper stream validation. The flaw allows unauthenticated clients to establish WebSocket connections to the system, bypassing the normal authentication mechanisms that should occur before stream establishment. This vulnerability manifests as a failure in the security protocol implementation where the system should validate the stream identity and authentication status before accepting the WebSocket upgrade request. The root cause aligns with CWE-287 which addresses improper authentication issues, specifically focusing on the timing of authentication checks within the connection establishment process.

The technical exploitation of this vulnerability enables remote attackers to maintain idle pre-authenticated WebSocket connections that consume valuable system resources including memory, file descriptors, and network bandwidth. Attackers can leverage this weakness by establishing multiple WebSocket connections without providing valid authentication credentials, effectively creating a resource exhaustion attack vector. The system's failure to properly validate stream authenticity before accepting WebSocket upgrade requests creates an opening for attackers to hold these connections open indefinitely, consuming connection slots and potentially leading to denial of service conditions for legitimate users. This particular flaw demonstrates a race condition or timing issue in the connection handling logic where the system accepts connections before performing necessary validation checks, making it susceptible to resource consumption attacks.

The operational impact of CVE-2026-32062 extends beyond simple resource exhaustion to potentially compromise system availability and performance for authorized users. When attackers maintain persistent idle connections, they can effectively starve the system of available connection slots, preventing legitimate users from establishing new media streams or voice calls. This degradation of service availability affects the core functionality of the OpenClaw platform, particularly impacting voice communication services that depend on WebSocket connections for real-time media streaming. The vulnerability creates a persistent threat where attackers can maintain connections for extended periods without consuming additional resources, making detection difficult while simultaneously degrading system performance for legitimate users who require access to the platform's communication services.

Security mitigations for this vulnerability should focus on implementing proper connection validation before accepting WebSocket upgrade requests, ensuring that authentication occurs prior to stream establishment. System administrators should upgrade to OpenClaw version 2026.2.22 or later where this vulnerability has been addressed through proper authentication timing controls. Network-level protections including connection rate limiting, maximum connection duration enforcement, and automatic connection cleanup mechanisms should be implemented to prevent abuse of the vulnerable system. The solution aligns with ATT&CK technique T1499.004 which addresses network denial of service, and should include monitoring for unusual connection patterns and implementing connection lifecycle management policies. Additionally, implementing proper resource accounting and connection timeout mechanisms will help detect and prevent attackers from maintaining persistent idle connections that consume system resources without providing legitimate service access.

Responsible

VulnCheck

Reservation

03/10/2026

Disclosure

03/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00426

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!