PatchSiren cyber security CVE debrief
CVE-2026-32062 Openclaw CVE debrief
CVE-2026-32062 affects OpenClaw versions 2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22. The issue lets media-stream WebSocket upgrades complete before stream validation, so unauthenticated clients can keep idle sockets open and consume connection resources until service availability degrades.
- Vendor
- Openclaw
- Product
- CVE-2026-32062
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-11
- Original CVE updated
- 2026-05-12
- Advisory published
- 2026-03-11
- Advisory updated
- 2026-05-12
Who should care
Operators and developers running OpenClaw or @openclaw/voice-call, especially internet-facing deployments that expose media-stream WebSocket endpoints or rely on connection capacity for legitimate streams.
Technical summary
The vulnerable behavior is an unauthenticated resource-exhaustion condition: the service accepts a WebSocket connection before it has validated the stream, which allows a remote client to hold pre-authenticated sockets open without completing a valid stream. NVD assigns CVSS 4.0 8.7 (HIGH) with network attack vector, no privileges, no user interaction, and availability impact only. The weakness is categorized as CWE-770 (Allocation of Resources Without Limits or Throttling). The affected ranges end before 2026.2.22 for both OpenClaw and @openclaw/voice-call.
Defensive priority
High priority for any exposed deployment. Update promptly if the service is reachable from untrusted networks or if connection exhaustion could affect voice/media availability.
Recommended defensive actions
- Upgrade OpenClaw and @openclaw/voice-call to 2026.2.22 or later.
- Restrict exposure of media-stream WebSocket endpoints to trusted clients and networks where possible.
- Add or verify socket limits, request timeouts, rate limiting, and connection cleanup for pre-authenticated sessions.
- Monitor for unusual growth in idle or pre-validation WebSocket connections and alert on connection pool saturation.
- Review the vendor advisory and patch commit to confirm the fix is present in your deployed build.
Evidence notes
This debrief is based only on the supplied official and vendor-referenced corpus. NVD lists the vulnerable CPE ranges ending before 2026.2.22 and assigns CWE-770. The provided description states that media-stream WebSocket upgrades are accepted before stream validation, enabling unauthenticated clients to hold sockets open and degrade availability. The CVE was published on 2026-03-11 and last modified on 2026-05-12. No KEV listing was provided.
Official resources
-
CVE-2026-32062 CVE record
CVE.org
-
CVE-2026-32062 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2026-32062 was published on 2026-03-11 and last modified on 2026-05-12 in the supplied NVD record. The corpus includes a patch commit, a vendor security advisory, and a third-party advisory; no Known Exploited Vulnerabilities listing is