AI Threat Alert AI Threat Alert

GHSA-vw3h-q6xq-jjm5

GHSA-vw3h-q6xq-jjm5 HIGH
Published April 17, 2026

## Summary Voice-call realtime WebSocket accepted oversized frames. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.9 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The voice-call realtime WebSocket path could accept oversized...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm >= 2026.4.9, < 2026.4.10 2026.4.10
2 dependents 92% patched ~1d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Recommended Action

Patch available

Update openclaw to version 2026.4.10

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is GHSA-vw3h-q6xq-jjm5?

OpenClaw: Voice-call realtime WebSocket accepted oversized frames

Is GHSA-vw3h-q6xq-jjm5 actively exploited?

No confirmed active exploitation of GHSA-vw3h-q6xq-jjm5 has been reported, but organizations should still patch proactively.

How to fix GHSA-vw3h-q6xq-jjm5?

Update to patched version: openclaw 2026.4.10.

What is the CVSS score for GHSA-vw3h-q6xq-jjm5?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary Voice-call realtime WebSocket accepted oversized frames. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.9 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The voice-call realtime WebSocket path could accept oversized frames, creating a remote availability risk for deployments exposing that webhook path. ## Technical Details The fix rejects oversized realtime WebSocket frames before processing them. ## Fix The issue was fixed in #63890. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `afadb7dae6738819ad9c7d2597ace0516957d20e` - PR: #63890 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Weaknesses (CWE)

CWE-400 Uncontrolled Resource Consumption Primary CWE-770 Allocation of Resources Without Limits or Throttling Primary

References

Timeline

Published
April 17, 2026
Last Modified
April 17, 2026
First Seen
April 18, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed