Vulnerability Description
OpenClaw versions 2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.22 |
| Openclaw | Openclaw\/Voice-Call | < 2026.2.22 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f34Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37jMitigationVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resourceThird Party Advisory
FAQ
What is CVE-2026-32062?
CVE-2026-32062 is a vulnerability with a CVSS score of 7.5 (HIGH). OpenClaw versions 2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticate...
How severe is CVE-2026-32062?
CVE-2026-32062 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32062?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw, Openclaw Openclaw\/Voice-Call.