LOW 3.7 npm
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
GHSA-6p8r-6m93-557f · CVE-2026-41333
Published · Modified
Description
Summary
Fake DeviceToken Bypasses Shared Auth Rate Limiting
Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
af0c0862f22ca4492406a3103d05e3628f94cbe9— 2026-03-31T09:08:57+09:00
Release Process Note
- The fix is already present in released version
2026.3.31.
OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f
- WEB https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://github.com/openclaw/openclaw/releases/tag/v2026.3.31
- WEB https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken
Ready to move
Start Securing
Free, no credit card | First findings in minutes