CVE-2026-41399
Received Received - Intake
Denial of Service via Unauthenticated WebSocket Flood in OpenClaw

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VulnCheck

Description
OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network attackers can exhaust socket and worker capacity to disrupt WebSocket availability for legitimate clients.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41399
EUVD
EUVD-2026-26107
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41399 is a high-severity denial of service vulnerability in OpenClaw versions before 2026.3.28. The vulnerability occurs because the system accepts an unlimited number of concurrent unauthenticated WebSocket upgrade requests without enforcing any limits or throttling before authentication.

This lack of control allows unauthenticated network attackers to flood the server with WebSocket upgrade requests, exhausting socket and worker resources. As a result, legitimate clients experience disruption in WebSocket availability.

The root cause is uncontrolled resource consumption and allocation without limits, specifically in the components handling pre-authenticated WebSocket connections.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition on the OpenClaw server by allowing attackers to exhaust critical server resources such as sockets and worker threads.

As a result, legitimate users may be unable to establish or maintain WebSocket connections, causing service disruption and potential downtime.

The attack requires no privileges or user interaction and can be executed remotely, making it easier for attackers to exploit.

Detection Guidance

This vulnerability involves unbounded concurrent unauthenticated WebSocket upgrade requests that exhaust server resources. Detection can focus on monitoring unusually high numbers of WebSocket upgrade requests from unauthenticated sources.

You can detect potential exploitation by analyzing network traffic for excessive WebSocket upgrade requests (HTTP 101 Switching Protocols) without corresponding authenticated sessions.

Suggested commands include using network monitoring tools like tcpdump or Wireshark to filter WebSocket upgrade requests, for example:

  • tcpdump -i <interface> 'tcp port 80 or tcp port 443' -w websocket_traffic.pcap
  • Then analyze the capture with Wireshark filtering for HTTP 101 status codes indicating WebSocket upgrades.

Additionally, server logs can be inspected for a high rate of WebSocket upgrade requests without authentication.

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.3.28 or later, where the vulnerability has been fixed by introducing caps on concurrent pre-authenticated WebSocket upgrades.

Until the upgrade can be applied, consider implementing network-level rate limiting or firewall rules to restrict the number of WebSocket upgrade requests from unauthenticated sources.

Monitoring and alerting on unusual spikes in WebSocket upgrade requests can also help in early detection and response.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41399. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart