Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32062 is a vulnerability in OpenClaw and its @openclaw/voice-call package where media-stream WebSocket connections are accepted before validating the media stream. This means unauthenticated clients can establish connections without proper verification.'}, {'type': 'paragraph', 'content': "Specifically, the system accepts WebSocket upgrades before receiving a valid 'start' frame that triggers stream validation, allowing remote attackers to hold idle, pre-authenticated sockets open."}, {'type': 'paragraph', 'content': 'This flaw enables attackers to consume connection resources by maintaining many idle connections, potentially leading to denial of service by degrading availability for legitimate users.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing remote attackers to consume server resources through unauthenticated, idle WebSocket connections.

By holding many pre-authenticated sockets open, attackers can exhaust connection resources, leading to degraded service availability or denial of service for legitimate users.

In environments where the media-stream endpoint is reachable and streaming is enabled, this can cause significant service disruption and reduced quality of service.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthenticated clients establishing media-stream WebSocket connections before stream validation, allowing idle pre-authenticated sockets to consume resources.

To detect this on your network or system, monitor WebSocket connections to the media-stream endpoint for unusually high numbers of idle or pre-start connections that do not send a valid start frame within a short time.

Commands or approaches to detect this may include:

• Using network monitoring tools (e.g., tcpdump, Wireshark) to capture WebSocket upgrade requests and identify many open connections without subsequent start frames.
• Checking server logs for WebSocket connections that remain open beyond the expected pre-start timeout (default 5000 ms) without authentication or stream start.
• Using commands like `netstat` or `ss` to count the number of open WebSocket connections to the media-stream port and identify if the number exceeds normal thresholds.
• Implementing or reviewing application-level metrics or logs that track pending WebSocket connections and their states (pre-start vs active).

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw and @openclaw/voice-call packages to version 2026.2.22 or later, which includes the fix for this vulnerability.

The fix implements several controls to prevent resource exhaustion from unauthenticated WebSocket connections:

• Enforce a pre-start timeout (default 5000 ms) to close WebSocket connections that do not send a valid start frame promptly.
• Limit the total number of unauthenticated pending connections globally (default 32).
• Limit the number of unauthenticated pending connections per IP address (default 4).
• Set a hard cap on total open media-stream WebSocket connections (default 128).

Additionally, operators can tune these parameters in the voice-call plugin configuration schema as needed.

Until the upgrade is applied, consider monitoring and limiting WebSocket connections at the network or application level to reduce the risk of denial of service.

Useful 0 Not Useful 0