OpenClaw Denial-of-Service Vulnerability via Oversized WebSocket Frames in Voice-Call Realtime Path
Vulnerability
A denial-of-service vulnerability has been identified in OpenClaw versions 2026.4.9 prior to 2026.4.10. The issue arises in the voice-call realtime WebSocket path, which accepts oversized frames without adequate validation. This flaw allows remote attackers to send large WebSocket frames, causing service disruptions for deployments that expose the webhook path.
Impact
Exploitation of this vulnerability leads to service unavailability, causing disruptions in applications that rely on the voice-call realtime WebSocket functionality.
Reproduction
The vulnerability can be reproduced by sending oversized WebSocket frames to the voice-call realtime WebSocket path. This can be done by establishing a WebSocket connection and sending a 'start' event with a payload that exceeds 256 KB, which is the maximum allowed size. The server will close the connection due to the oversized frame, but not before causing a temporary disruption in service.
Remediation
Users are advised to upgrade to OpenClaw version 2026.4.10 or later. The latest version available is 2026.4.14, which includes the necessary fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.