CVE-2026-32062
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
Description
### Summary `@openclaw/voice-call` (and the bundled copy shipped in `openclaw`) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure. ### Affected Packages / Versions - `openclaw` (npm): vulnerable `<= 2026.2.21-2`, patched in `2026.2.22`. - `@openclaw/voice-call` (npm): vulnerable `<= 2026.2.21`, patched in `2026.2.22`. ### Technical Details Before this fix, the voice-call media-stream path upgraded sockets first and ran `shouldAcceptStream()` after a later `start` frame. This created a pre-auth window where remote clients could hold idle sockets without call/token validation. ### Impact Availability risk in deployments where the media-stream endpoint is reachable and streaming is enabled. Under sustained abuse, this could consume connection-related resources and degrade service for legitimate streams. ### Remediation The fix adds layered controls in the media-stream path: - strict pre-start timeout (close sockets that do not send a valid `start` frame quickly) - global pending-connection cap - per-IP pending-connection cap - total open media-stream connection cap - safer upgrade-path parsing in the webhook server ### Fix Commit(s) - `1d8968c8a821ff1a05c294a1846b3bcb6f343794` ### Release Process Note `patched_versions` is pre-set to `2026.2.22` so this advisory is ready to publish once npm `[email protected]` and `@openclaw/[email protected]` are released. OpenClaw thanks @jiseoung for reporting.
How to fix CVE-2026-32062
To remediate CVE-2026-32062, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.22 or later
- —upgrade to 2026.2.22 or later
Is CVE-2026-32062 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.