GHSA-mfg5-7q5g-f37j: OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure

March 2, 2026

@openclaw/voice-call (and the bundled copy shipped in openclaw) accepted media-stream WebSocket upgrades before stream validation. In reachable deployments, unauthenticated pre-start sockets could be held open and increase resource pressure.

References

github.com/advisories/GHSA-mfg5-7q5g-f37j
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794
github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j

Code Behaviors & Features

Detect and mitigate GHSA-mfg5-7q5g-f37j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →