GHSA-6rmx-gvvg-vh6j

Source

https://github.com/advisories/GHSA-6rmx-gvvg-vh6j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6rmx-gvvg-vh6j/GHSA-6rmx-gvvg-vh6j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6rmx-gvvg-vh6j

Downstream

MINI-gr28-c7wx-c7xp

Published

2026-03-09T19:52:47Z

Modified

2026-03-09T20:01:25.530351Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

OpenClaw's hooks count non-POST requests toward auth lockout

Details

OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.

The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.3.2
Patched version: 2026.3.7
Latest published npm version at patch time: 2026.3.2

Impact

An unauthenticated network client that could reach /hooks/* could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery.

Fix Commit(s)

44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89

Verification

pnpm check passed
pnpm test:fast passed
focused hook regression tests passed
pnpm exec vitest run --config vitest.gateway.config.ts still has unrelated current-main failures in src/gateway/server-channels.test.ts and src/gateway/server-methods/agents-mutate.test.ts

Release Process Note

npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.

Thanks @JNX03 for reporting.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T19:52:47Z",
    "cwe_ids": [
        "CWE-307",
        "CWE-799"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6rmx-gvvg-vh6j/GHSA-6rmx-gvvg-vh6j.json"

last_known_affected_version_range

"<= 2026.3.2"