OpenClaw: Voice-call realtime WebSocket accepted oversized frames
GHSA-vw3h-q6xq-jjm5 · CVE-2026-42437
Published · Modified
Description
Summary
Voice-call realtime WebSocket accepted oversized frames.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.4.9 < 2026.4.10 - Patched versions:
>= 2026.4.10
Impact
The voice-call realtime WebSocket path could accept oversized frames, creating a remote availability risk for deployments exposing that webhook path.
Technical Details
The fix rejects oversized realtime WebSocket frames before processing them.
Fix
The issue was fixed in #63890. The first stable tag containing the fix is v2026.4.10, and openclaw@2026.4.14 includes the fix.
Fix Commit(s)
afadb7dae6738819ad9c7d2597ace0516957d20e- PR: #63890
Release Process Note
Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix.
Reporters
Thanks to G0odUser from ADLab of VenusTech
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42437
- WEB https://github.com/openclaw/openclaw/pull/63890
- WEB https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path
Ready to move
Start Securing
Free, no credit card | First findings in minutes