OpenClaw Voice Call: Large WebSocket Frames Cause Resource Consumption

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.8

OpenClaw Voice Call: Large WebSocket Frames Cause Resource Consumption

GHSA-2w79-r9g8-wmcr

Summary

If you're using a version of OpenClaw older than 2026.3.31, a hacker could send a specially crafted WebSocket message that consumes your system's resources, potentially causing it to slow down or crash. This is a medium-risk issue that has been fixed in version 2026.3.31. You should update to the latest version to protect your system.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.31	2026.3.31

Original title

OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)

Original description

## Summary
Incomplete fix for CVE-2026-32062: voice-call still parses large WebSocket frames before start validation

## Current Maintainer Triage
- Normalized severity: medium
- Assessment: v2026.3.28 still parses oversized pre-start voice-call WebSocket frames before start validation, and the unreleased maxPayload fix confirms the shipped resource-consumption bug remains open.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `9abcfdadf591bf266d85fbdfe14ae833e557a110` — 2026-03-31T19:47:10+09:00

OpenClaw thanks @Kazamayc for reporting.

osv CVSS4.0 7.8

Vulnerability type

CWE-400 Uncontrolled Resource Consumption

CWE-770 Allocation of Resources Without Limits

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026