CVE-2026-41399
Published: 28 April 2026
Summary
CVE-2026-41399 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Service Exhaustion Flood (T1499.002); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against denial-of-service attacks via unbounded concurrent unauthenticated WebSocket upgrades that exhaust socket and worker capacity.
Enforces resource allocation limits and protections to prevent exhaustion of sockets and workers by unauthenticated WebSocket connections.
Limits concurrent sessions or connections, mitigating unbounded WebSocket upgrades that disrupt availability for legitimate clients.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables flooding the service with excessive unauthenticated WebSocket upgrade requests to exhaust socket/worker resources, directly facilitating a Service Exhaustion Flood (T1499.002) for denial-of-service.
NVD Description
OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network attackers can exhaust socket and worker capacity to disrupt WebSocket availability for legitimate clients.
Deeper analysisAI
CVE-2026-41399 affects OpenClaw versions prior to 2026.3.28, where the software accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), enables resource exhaustion attacks. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-04-28.
Unauthenticated network attackers can exploit this issue with low complexity and no privileges required. By initiating excessive WebSocket upgrade requests, they can exhaust socket and worker capacity, resulting in a denial-of-service that disrupts WebSocket availability for legitimate clients.
Advisories detailing mitigation are available from the OpenClaw GitHub security page at https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7 and VulnCheck at https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-pre-auth-websocket-upgrades.
Details
- CWE(s)