GHSA-w9f5-8q83-qwpx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w9f5-8q83-qwpx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w9f5-8q83-qwpx/GHSA-w9f5-8q83-qwpx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w9f5-8q83-qwpx
- Downstream
- Withdrawn
- 2026-05-04T22:00:35Z
- Published
- 2026-04-24T00:31:51Z
- Modified
- 2026-05-05T16:11:33.422567Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
- Details
-
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6p8r-6m93-557f. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.
- Database specific
{ "severity": "MODERATE", "cwe_ids": [ "CWE-799" ], "github_reviewed": true, "github_reviewed_at": "2026-05-04T22:00:35Z", "nvd_published_at": "2026-04-23T22:16:39Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f
- https://nvd.nist.gov/vuln/detail/CVE-2026-41333
- https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9
- https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw