OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network …

CVE-2026-41399 affects OpenClaw versions before 2026.3.28, allowing unauthenticated attackers to perform denial of service attacks through unbounded concurrent WebSocket upgrades. The vulnerability exists due to lack of pre-authentication budget allocation for WebSocket connections. Attackers can exploit this flaw to exhaust socket and worker capacity, disrupting WebSocket availability for legitimate users. This is a network-based attack that requires no authentication, making it easily exploitable by remote attackers. The impact is a complete disruption of WebSocket services for legitimate clients.