CVE-2026-32062: OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure
(updated )
@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.
References
- github.com/advisories/GHSA-mfg5-7q5g-f37j
- github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794
- github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j
- nvd.nist.gov/vuln/detail/CVE-2026-32062
- www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream
Code Behaviors & Features
Detect and mitigate CVE-2026-32062 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →