OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
🔗 CVE IDs covered (1)
📋 Description
Summary
@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.
Affected Packages / Versions
openclaw(npm): vulnerable<= 2026.2.21-2, patched in2026.2.22.@openclaw/voice-call(npm): vulnerable<= 2026.2.21, patched in2026.2.22.
Technical Details
Before this fix, the voice-call media-stream path upgraded sockets first and ran shouldAcceptStream() after a later start frame. This created a pre-auth window where remote clients could hold idle sockets without call/token validation.
Impact
Availability risk in deployments where the media-stream endpoint is reachable and streaming is enabled. Under sustained abuse, this could consume connection-related resources and degrade service for legitimate streams.
Remediation
The fix adds layered controls in the media-stream path:
- strict pre-start timeout (close sockets that do not send a valid
startframe quickly) - global pending-connection cap
- per-IP pending-connection cap
- total open media-stream connection cap
- safer upgrade-path parsing in the webhook server
Fix Commit(s)
1d8968c8a821ff1a05c294a1846b3bcb6f343794
Release Process Note
patched_versions is pre-set to 2026.2.22 so this advisory is ready to publish once npm [email protected] and @openclaw/[email protected] are released.
OpenClaw thanks @jiseoung for reporting.
🎯 Affected products2
- npm/openclaw:< 2026.2.22
- npm/@openclaw/voice-call:< 2026.2.22
🔗 References (5)
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j
- https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794
- https://nvd.nist.gov/vuln/detail/CVE-2026-32062
- https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream
- https://github.com/advisories/GHSA-mfg5-7q5g-f37j