Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants
GHSA-5847-rm3g-23mw
Summary
## Vulnerability
The hook authentication throttle keyed failed attempts by raw socket `remoteAddress` text.
IPv4 and IPv4-mapped IPv6 forms of the same client (for example `1.2.3.4` and `::ffff:1.2.3.4`) were treated as different clients, allowing separate rate-limit buckets.
## Impact
An attack...
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants
Original description
## Vulnerability
The hook authentication throttle keyed failed attempts by raw socket `remoteAddress` text.
IPv4 and IPv4-mapped IPv6 forms of the same client (for example `1.2.3.4` and `::ffff:1.2.3.4`) were treated as different clients, allowing separate rate-limit buckets.
## Impact
An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window.
## Affected Components
- `src/gateway/server-http.ts`
- `src/gateway/auth-rate-limit.ts`
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
## Remediation
Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling.
## Fix Commit(s)
- `3284d2eb227e7b6536d543bcf5c3e320bc9d13c5`
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`) so once npm release `2026.2.22` is published, this advisory can be published directly.
OpenClaw thanks @aether-ai-agent for reporting.
The hook authentication throttle keyed failed attempts by raw socket `remoteAddress` text.
IPv4 and IPv4-mapped IPv6 forms of the same client (for example `1.2.3.4` and `::ffff:1.2.3.4`) were treated as different clients, allowing separate rate-limit buckets.
## Impact
An attacker could split failed hook-auth attempts across both address forms and effectively double the brute-force budget from 20 to 40 attempts per 60-second window.
## Affected Components
- `src/gateway/server-http.ts`
- `src/gateway/auth-rate-limit.ts`
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
## Remediation
Centralize and reuse canonical client-IP normalization for auth rate-limiting, and use that canonical key for hook auth throttling.
## Fix Commit(s)
- `3284d2eb227e7b6536d543bcf5c3e320bc9d13c5`
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`) so once npm release `2026.2.22` is published, this advisory can be published directly.
OpenClaw thanks @aether-ai-agent for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-770
Allocation of Resources Without Limits
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026