CVE-2026-41399
Denial of Service via Unauthenticated WebSocket Flood in OpenClaw
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41399 is a high-severity denial of service vulnerability in OpenClaw versions before 2026.3.28. The vulnerability occurs because the system accepts an unlimited number of concurrent unauthenticated WebSocket upgrade requests without enforcing any limits or throttling before authentication.
This lack of control allows unauthenticated network attackers to flood the server with WebSocket upgrade requests, exhausting socket and worker resources. As a result, legitimate clients experience disruption in WebSocket availability.
The root cause is uncontrolled resource consumption and allocation without limits, specifically in the components handling pre-authenticated WebSocket connections.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition on the OpenClaw server by allowing attackers to exhaust critical server resources such as sockets and worker threads.
As a result, legitimate users may be unable to establish or maintain WebSocket connections, causing service disruption and potential downtime.
The attack requires no privileges or user interaction and can be executed remotely, making it easier for attackers to exploit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded concurrent unauthenticated WebSocket upgrade requests that exhaust server resources. Detection can focus on monitoring unusually high numbers of WebSocket upgrade requests from unauthenticated sources.
You can detect potential exploitation by analyzing network traffic for excessive WebSocket upgrade requests (HTTP 101 Switching Protocols) without corresponding authenticated sessions.
Suggested commands include using network monitoring tools like tcpdump or Wireshark to filter WebSocket upgrade requests, for example:
- tcpdump -i <interface> 'tcp port 80 or tcp port 443' -w websocket_traffic.pcap
- Then analyze the capture with Wireshark filtering for HTTP 101 status codes indicating WebSocket upgrades.
Additionally, server logs can be inspected for a high rate of WebSocket upgrade requests without authentication.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenClaw to version 2026.3.28 or later, where the vulnerability has been fixed by introducing caps on concurrent pre-authenticated WebSocket upgrades.
Until the upgrade can be applied, consider implementing network-level rate limiting or firewall rules to restrict the number of WebSocket upgrade requests from unauthenticated sources.
Monitoring and alerting on unusual spikes in WebSocket upgrade requests can also help in early detection and response.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.