CVE-2026-32062

Summary

OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.

Affected Software

VendorProductVersion RangeStatus
openclawopenclaw2026.2.21-2 < 2026.2.22affected
openclawopenclaw2026.2.22unaffected
openclawvoice-call2026.2.21affected
openclawvoice-call2026.2.22unaffected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References