Description
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.
Published: 2026-04-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Rate Limiting Bypass
Action: Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.31 allow an attacker to bypass authentication rate limiting by supplying forged device tokens during the mixed WebSocket authentication flow. The flaw exploits the handling of device tokens (CWE‑799) so that the rate‑limiting checks are ineffective, enabling brute‑force attempts against weak shared passwords that would otherwise be throttled. The consequence is the ability to systematically test credentials without triggering account lockout or alerting mechanisms, potentially leading to unauthorized account access.

Affected Systems

The vulnerability affects the OpenClaw application distributed by OpenClaw:OpenClaw for all supported Node.js environments. Any deployment of OpenClaw using a version older than 2026.3.31 is susceptible; the patch is incorporated in 2026.3.31 and later releases.

Risk and Exploitability

The CVSS v3.1 score of 6.3 indicates a moderate threat, and the EPSS score of less than 1% suggests that exploitation is unlikely at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires network access to the OpenClaw service and the ability to send crafted WebSocket authentication messages, which is feasible for remote attackers with visibility into the WebSocket channel.

Generated by OpenCVE AI on April 28, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.3.31 or newer.
  • Configure the service to enforce strong, unique passwords and consider disabling shared passwords if possible.
  • Limit direct WebSocket access to trusted hosts or add an additional authentication layer such as mutual TLS or IP whitelisting.

Generated by OpenCVE AI on April 28, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6p8r-6m93-557f OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
History

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.
Title OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-799
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T13:35:46.057Z

Reserved: 2026-04-20T14:03:06.199Z

Link: CVE-2026-41333

cve-icon Vulnrichment

Updated: 2026-04-24T13:35:31.130Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:39.083

Modified: 2026-04-28T18:55:34.120

Link: CVE-2026-41333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses