CVE-2026-32062

HIGH7.5EPSS 0.14%

OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure

發布日:2026/3/2修改日:2026/3/13

描述

### Summary `@openclaw/voice-call` (and the bundled copy shipped in `openclaw`) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure. ### Affected Packages / Versions - `openclaw` (npm): vulnerable `<= 2026.2.21-2`, patched in `2026.2.22`. - `@openclaw/voice-call` (npm): vulnerable `<= 2026.2.21`, patched in `2026.2.22`. ### Technical Details Before this fix, the voice-call media-stream path upgraded sockets first and ran `shouldAcceptStream()` after a later `start` frame. This created a pre-auth window where remote clients could hold idle sockets without call/token validation. ### Impact Availability risk in deployments where the media-stream endpoint is reachable and streaming is enabled. Under sustained abuse, this could consume connection-related resources and degrade service for legitimate streams. ### Remediation The fix adds layered controls in the media-stream path: - strict pre-start timeout (close sockets that do not send a valid `start` frame quickly) - global pending-connection cap - per-IP pending-connection cap - total open media-stream connection cap - safer upgrade-path parsing in the webhook server ### Fix Commit(s) - `1d8968c8a821ff1a05c294a1846b3bcb6f343794` ### Release Process Note `patched_versions` is pre-set to `2026.2.22` so this advisory is ready to publish once npm `[email protected]` and `@openclaw/[email protected]` are released. OpenClaw thanks @jiseoung for reporting.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(5)