PatchSiren cyber security CVE debrief
CVE-2026-42437 OpenClaw CVE debrief
A denial-of-service vulnerability exists in OpenClaw versions 2026.4.9 before 2026.4.10, affecting the voice-call realtime WebSocket path. The application accepts oversized WebSocket frames without proper validation, allowing remote attackers to cause service unavailability by sending maliciously large frames to exposed endpoints. The vulnerability is classified as HIGH severity with a CVSS score of 8.2. The issue was disclosed via Vulncheck and has been addressed in version 2026.4.10. Organizations running affected versions should prioritize patching, particularly those with externally exposed voice-call realtime WebSocket endpoints.
- Vendor
- OpenClaw
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-05
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-05
- Advisory updated
- 2026-05-26
Who should care
Organizations operating OpenClaw voice-call services with publicly accessible WebSocket endpoints; security teams monitoring for DoS attack vectors in real-time communication infrastructure; DevOps teams managing WebSocket-based applications without implemented size constraints.
Technical summary
The vulnerability stems from insufficient validation of WebSocket frame sizes in OpenClaw's voice-call realtime path. Without proper bounds checking, attackers can transmit oversized frames that exhaust server resources or trigger crash conditions. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VA:H) reflects network accessibility, low attack complexity, and high availability impact. The fix commit indicates implementation of frame size validation logic.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade OpenClaw to version 2026.4.10 or later to remediate the vulnerability
- Review and implement WebSocket frame size limits at the application or reverse proxy level
- Audit network exposure of voice-call realtime WebSocket endpoints and restrict access where possible
- Monitor for unusual WebSocket traffic patterns indicating potential exploitation attempts
- Consider implementing rate limiting and connection throttling for WebSocket endpoints
Evidence notes
Vulnerability disclosed through Vulncheck with official GitHub security advisory and commit reference. CVSS 4.0 vector indicates network attack vector with low attack complexity and high availability impact. CWE-770 (Allocation of Resources Without Limits or Throttling) identified as the underlying weakness.
Official resources
2026-05-05