OpenClaw WebSocket Frame Processing Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in OpenClaw versions prior to 2026.3.31. The issue arises in the voice-call component, which improperly handles large WebSocket frames before performing necessary validation. This flaw allows remote attackers to send oversized pre-start WebSocket frames, leading to excessive resource consumption and service disruption.

Impact

Exploitation of this vulnerability causes resource exhaustion, resulting in a denial-of-service condition where the application becomes unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by sending oversized WebSocket frames to the voice-call component before the 'start' event is validated. This can be done by connecting to the WebSocket server and sending a 'start' event payload that includes a large 'customParameters' field, padded with enough data to exceed the maximum allowed frame size. The server will accept the connection but will not process the oversized frame correctly, leading to increased resource usage.

Remediation

Users can upgrade to OpenClaw version 2026.3.31 or later, where this vulnerability has been addressed.