Description
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.
Published: 2026-04-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A flaw in OpenClaw versions prior to 2026.3.31 causes pending pairing‑request caps to be enforced per channel file instead of per account. This allows an attacker to submit a large number of pairing requests from different accounts, exhausting the shared pending window and preventing new pairing challenges from being generated for other accounts. The attack elevates to a denial of service because affected accounts can no longer initiate new pairing processes, disrupting legitimate users and services. The weakness is a type of logic error (CWE‑799) where a policy is applied at an incorrect granularity.

Affected Systems

The issue impacts the OpenClaw product named OpenClaw, affecting all installations running OpenClaw versions 2026.2.26 up to, but not including, 2026.3.31. No other vendors or product variants are mentioned as affected.

Risk and Exploitability

The CVSS score of 6.3 places this vulnerability in the moderate severity category. The EPSS score indicates a very low but non‑zero exploitation probability, and it is not listed in the CISA KEV catalog. Attackers can exploit this by sending pairing requests remotely from other accounts; the easiest vector is through network access to the OpenClaw service. If the attacker can maintain enough concurrent requests to fill the per‑channel quota, all other accounts are effectively locked out of pairing, leading to a denial of service for those users.

Generated by OpenCVE AI on April 28, 2026 at 07:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later to disable the faulty per‑channel cap enforcement.
  • If upgrading is not immediately possible, configure the application to lower the per‑channel pending pairing request limit or implement per‑account caps where supported.
  • Actively monitor system logs for unusually high numbers of pairing requests and block or rate‑limit IP addresses that exhibit suspicious activity.
  • Apply any available configuration settings that enforce correct accounting of pending requests per account, ensuring the logic aligns with intended policy.

Generated by OpenCVE AI on April 28, 2026 at 07:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wwfp-w96m-c6x8 OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
History

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.
Title OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-799
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T16:39:00.293Z

Reserved: 2026-04-20T14:05:09.184Z

Link: CVE-2026-41346

cve-icon Vulnrichment

Updated: 2026-04-24T16:38:56.749Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:41.313

Modified: 2026-04-29T14:44:10.140

Link: CVE-2026-41346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses