OpenClaw and @openclaw/voice-call WebSocket Resource Exhaustion Vulnerability via Media Stream

A denial-of-service vulnerability has been identified in OpenClaw versions 2026.2.21-2 prior to 2026.2.22, as well as in @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22. The issue arises because these versions accept media-stream WebSocket upgrades before validating the stream, allowing unauthenticated clients to establish connections. Remote attackers can exploit this by keeping pre-authenticated sockets open, which consumes connection resources and degrades service availability for legitimate streams.

Impact

Exploitation of this vulnerability can lead to increased resource consumption from open connections, causing a denial-of-service effect on legitimate media streams.

Reproduction

The vulnerability can be reproduced by sending a WebSocket upgrade request to the media-stream endpoint before authentication is completed. This can be done by initiating a connection and not immediately sending the required validation frames, effectively holding the connection open. With the right conditions, this can be automated to create a sustained denial-of-service effect.

Remediation

Users can update to OpenClaw version 2026.2.22 or @openclaw/voice-call version 2026.2.22 to address this vulnerability.