CVE-2026-41400
Published: 28 April 2026
Summary
CVE-2026-41400 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 directly protects against denial-of-service attacks by implementing measures like rate limiting and frame size restrictions to prevent resource exhaustion from oversized WebSocket frames.
SI-10 requires validation of information inputs, ensuring oversized pre-start WebSocket frames are rejected before parsing to mitigate the resource consumption vulnerability.
SC-6 enforces resource allocation policies and protects availability from unauthorized depletion caused by parsing large WebSocket frames without prior validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a parsing flaw in the voice-call WebSocket component to cause resource exhaustion and denial of service, directly mapping to T1499.004 Application or System Exploitation.
NVD Description
OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service.
Deeper analysisAI
CVE-2026-41400 is a denial-of-service vulnerability in OpenClaw versions prior to 2026.3.31, stemming from an incomplete fix for the earlier CVE-2026-32062. The issue affects the voice-call component, which parses large WebSocket frames before performing start validation, allowing oversized pre-start frames to trigger excessive resource consumption. Classified under CWE-770 (Allocation of Resources Without Limits or Throttling), it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low-impact availability disruption.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By sending specially crafted oversized WebSocket frames to the voice-call component before the connection start validation, adversaries can cause significant resource exhaustion on the server, leading to denial of service. The attack leverages the parsing logic flaw, making it straightforward for unauthenticated remote exploitation.
Mitigation involves upgrading to OpenClaw 2026.3.31 or later, where the incomplete fix from CVE-2026-32062 has been properly addressed. Relevant advisories include the GitHub security advisory GHSA-2w79-r9g8-wmcr, the fix commit at https://github.com/openclaw/openclaw/commit/9abcfdadf591bf266d85fbdfe14ae833e557a110, and Vulncheck's detailed analysis at https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-oversized-websocket-frames-in-voice-call, which outline the patch and recommend immediate updates for affected deployments.
Details
- CWE(s)