📄 Description (English)
OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path.
🤖 AI Executive Summary
OpenClaw versions 2026.4.9 and earlier contain a denial of service vulnerability in WebSocket frame handling that allows remote attackers to crash voice-call services by sending oversized frames. This affects organizations using OpenClaw for real-time communications, with no patch currently available. The vulnerability poses significant risk to telecom operators and enterprises relying on OpenClaw for VoIP and unified communications.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 16:55
🇸🇦 Saudi Arabia Impact Assessment
Saudi telecom operators (STC, Mobily, Zain) and government agencies using OpenClaw for secure communications face service disruption risks. Banking sector organizations using OpenClaw for customer support voice channels could experience availability issues. Healthcare providers leveraging OpenClaw for telemedicine and patient communication systems are at risk. Government entities under NCA oversight relying on OpenClaw for internal communications could face operational disruption. The vulnerability is particularly critical for organizations in the Kingdom that have integrated OpenClaw into mission-critical voice infrastructure without redundancy.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain)
Banking and Financial Services
Government and Public Administration
Healthcare and Telemedicine
Energy and Utilities
Enterprise Communications
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OpenClaw deployments in your environment, particularly those exposing webhook/WebSocket paths to untrusted networks
2. Implement network-level rate limiting and frame size restrictions on WebSocket connections
3. Deploy WAF rules to reject oversized WebSocket frames exceeding normal payload thresholds (typically >1MB)
4. Enable detailed logging of WebSocket connection attempts and frame sizes for forensic analysis
COMPENSATING CONTROLS (until patch available):
5. Implement reverse proxy (nginx/HAProxy) with request size limits: client_max_body_size and proxy_request_buffering directives
6. Deploy IDS/IPS signatures to detect and block oversized WebSocket frames
7. Implement connection timeout policies and per-IP rate limiting
8. Segment OpenClaw services behind load balancers with health checks and auto-failover
DETECTION RULES:
9. Monitor for WebSocket frames exceeding 10MB in size
10. Alert on rapid connection attempts from single IP addresses
11. Track service restart events and correlate with WebSocket traffic anomalies
12. Monitor CPU and memory spikes during WebSocket communication
PATCHING:
13. Subscribe to OpenClaw security advisories for patch availability
14. Plan immediate upgrade to version 2026.4.10 or later once released
15. Test patches in non-production environment before deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات OpenClaw في بيئتك، خاصة تلك التي تكشف مسارات webhook/WebSocket للشبكات غير الموثوقة
2. طبق تحديد معدل على مستوى الشبكة وقيود حجم الإطار على اتصالات WebSocket
3. نشر قواعد WAF لرفض إطارات WebSocket المفرطة الحجم التي تتجاوز حدود الحمولة العادية (عادة >1MB)
4. فعّل تسجيل مفصل لمحاولات الاتصال بـ WebSocket وأحجام الإطارات للتحليل الجنائي
الضوابط التعويضية (حتى توفر التصحيح):
5. طبق خادم وكيل عكسي (nginx/HAProxy) مع حدود حجم الطلب: توجيهات client_max_body_size و proxy_request_buffering
6. نشر توقيعات IDS/IPS للكشف عن إطارات WebSocket المفرطة الحجم وحجبها
7. طبق سياسات انتهاء الاتصال وتحديد معدل لكل عنوان IP
8. قسّم خدمات OpenClaw خلف موازنات التحميل مع فحوصات الصحة والفشل التلقائي
قواعد الكشف:
9. راقب إطارات WebSocket التي تتجاوز 10MB في الحجم
10. تنبيهات محاولات الاتصال السريعة من عناوين IP واحدة
11. تتبع أحداث إعادة تشغيل الخدمة والربط بشذوذ حركة WebSocket
12. راقب ارتفاعات CPU والذاكرة أثناء اتصال WebSocket
التصحيح:
13. اشترك في تنبيهات أمان OpenClaw لتوفر التصحيح
14. خطط للترقية الفورية إلى الإصدار 2026.4.10 أو أحدث عند إصداره
15. اختبر التصحيحات في بيئة غير الإنتاج قبل النشر
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.13.1.3 - Segregation of networks
ECC 2024 A.16.1.5 - Response to information security incidents
🔵 SAMA CSF
ID.RA-1 - Asset management and criticality assessment
PR.DS-6 - Integrity checking mechanisms
DE.CM-1 - Network monitoring
RS.RP-1 - Response planning
🟡 ISO 27001:2022
A.12.2.1 - Change management
A.12.6.1 - Management of technical vulnerabilities
A.13.1.1 - Network controls
A.16.1.5 - Assessment and decision on information security incidents
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 3
🔗
🔗
🔗
https://github.com/openclaw/openclaw/commit/afadb7dae6738819ad9c7d2597ace0516957d20e
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-vw3h-q6xq-jjm5
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-oversized-websocket...
disclosure@vulncheck.com