Skip to content
CVSS 7.5 · HIGH

CVE-2026-42437

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.

View on NVD

Analysis

OpenClaw is a niche open-source engine with limited deployment in the MexicoDev stack. The vulnerability is a Denial of Service via resource exhaustion on the WebSocket path, which lacks the high impact or widespread reach needed to justify a general developer alert.

Severity

Score: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: NONE
A: HIGH
Weakness (CWE): CWE-770

EPSS

Probability of exploitation (next 30 days): 0.0009 (0.1%)
Percentile: 25.4%
EPSS: 2026-05-06

Technical description

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.

Published: 5/5/2026, 12:16:18 PM
Last modified: 5/5/2026, 7:47:31 PM

References

HomeEventsBlogResourcesTeam