Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41399

CVE-2026-41399: OpenClaw DoS Vulnerability via WebSocket

CVE-2026-41399 is a denial of service vulnerability in OpenClaw that allows unauthenticated attackers to exhaust system resources through unbounded WebSocket connections. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-41399 Overview

OpenClaw before version 2026.3.28 contains a critical resource exhaustion vulnerability in its WebSocket handling mechanism. The application accepts unbounded concurrent unauthenticated WebSocket upgrades without implementing pre-authentication budget allocation. This design flaw allows unauthenticated network attackers to exhaust socket and worker capacity, disrupting WebSocket availability for legitimate clients.

Critical Impact

Unauthenticated attackers can remotely disrupt service availability by exhausting server resources through unbounded WebSocket connection requests, leading to denial of service for legitimate users.

Affected Products

  • OpenClaw versions prior to 2026.3.28

Discovery Timeline

  • April 28, 2026 - CVE-2026-41399 published to NVD
  • April 28, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41399

Vulnerability Analysis

This vulnerability falls under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue stems from OpenClaw's WebSocket upgrade handling, which fails to implement any form of rate limiting or connection budgeting for unauthenticated clients. When a client initiates a WebSocket upgrade request, the server allocates socket descriptors and worker threads without verifying authentication status or enforcing connection limits per source.

The network-accessible attack surface allows remote exploitation without requiring any user interaction or authentication. An attacker can leverage this flaw to consume all available server resources by rapidly initiating WebSocket upgrade requests, effectively preventing legitimate clients from establishing connections.

Root Cause

The vulnerability exists because OpenClaw's WebSocket implementation lacks pre-authentication budget allocation mechanisms. The server processes all incoming WebSocket upgrade requests equally, regardless of their authentication status or source IP. This architectural oversight means the server has no mechanism to:

  • Limit the number of concurrent unauthenticated connection attempts
  • Implement per-source rate limiting for connection requests
  • Reserve resources for authenticated or priority clients
  • Gracefully degrade service under connection pressure

Attack Vector

The attack is executed over the network and requires no authentication or user interaction. An attacker can craft a simple script that continuously initiates WebSocket upgrade requests to the target OpenClaw server. Each request consumes server resources (file descriptors, memory, worker threads) until the server's capacity is exhausted.

The attack flow follows this pattern:

  1. Attacker identifies an OpenClaw server endpoint accepting WebSocket connections
  2. Attacker initiates rapid, concurrent WebSocket upgrade requests
  3. Server allocates resources for each request without authentication checks
  4. Server resources become exhausted, rejecting new connections
  5. Legitimate clients are unable to establish WebSocket connections

For technical details on the exploitation mechanism, refer to the GitHub Security Advisory and VulnCheck Denial of Service Advisory.

Detection Methods for CVE-2026-41399

Indicators of Compromise

  • Unusual spike in WebSocket upgrade requests from single or multiple IP addresses
  • Rapid increase in open socket descriptors on the server
  • Worker thread exhaustion warnings in server logs
  • Connection timeout errors reported by legitimate clients
  • Server performance degradation coinciding with network traffic anomalies

Detection Strategies

  • Monitor for abnormal rates of WebSocket upgrade requests, particularly from unauthenticated sources
  • Implement connection tracking to identify sources generating excessive upgrade requests
  • Configure alerting thresholds for socket descriptor utilization and worker thread consumption
  • Deploy network-level traffic analysis to detect potential DoS patterns targeting WebSocket endpoints

Monitoring Recommendations

  • Enable detailed logging for WebSocket connection attempts including source IP and connection state
  • Monitor server resource metrics including file descriptor counts, memory usage, and active worker threads
  • Implement real-time alerting for resource exhaustion conditions
  • Track connection establishment success/failure ratios to detect service degradation

How to Mitigate CVE-2026-41399

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.3.28 or later immediately
  • Implement network-level rate limiting for WebSocket upgrade requests as an interim measure
  • Configure firewall rules to limit concurrent connections per source IP
  • Monitor server resources closely for signs of active exploitation

Patch Information

The vulnerability is addressed in OpenClaw version 2026.3.28, which implements proper pre-authentication budget allocation for WebSocket upgrades. Organizations should prioritize upgrading to this version or later to fully remediate the vulnerability.

For additional information, refer to the GitHub Security Advisory.

Workarounds

  • Deploy a reverse proxy or load balancer with rate limiting capabilities in front of OpenClaw servers
  • Configure connection limits per source IP at the network or firewall level
  • Implement application-level throttling for unauthenticated WebSocket upgrade requests
  • Consider IP reputation-based filtering to block known malicious sources
bash
# Example nginx rate limiting configuration for WebSocket endpoints
limit_conn_zone $binary_remote_addr zone=ws_conn:10m;
limit_req_zone $binary_remote_addr zone=ws_req:10m rate=10r/s;

location /ws {
    limit_conn ws_conn 10;
    limit_req zone=ws_req burst=20 nodelay;
    proxy_pass http://openclaw_backend;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.