Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw's hooks can be locked out by non-POST requests
GHSA-6rmx-gvvg-vh6j
Summary
An attacker can make repeated non-POST requests to an OpenClaw hook, causing it to temporarily lock out the client key. This can happen if the attacker is using a shared proxy or NAT setup. To fix this issue, update to OpenClaw version 2026.3.7 or later.
What to do
- Update openclaw to version 2026.3.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.7 | 2026.3.7 |
Original title
OpenClaw's hooks count non-POST requests toward auth lockout
Original description
OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-`POST` requests (for example `GET`) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.
The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return `405 Method Not Allowed` without incrementing the hook auth limiter.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `2026.3.7`
- Latest published npm version at patch time: `2026.3.2`
## Impact
An unauthenticated network client that could reach `/hooks/*` could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery.
## Fix Commit(s)
- `44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89`
## Verification
- `pnpm check` passed
- `pnpm test:fast` passed
- focused hook regression tests passed
- `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @JNX03 for reporting.
The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return `405 Method Not Allowed` without incrementing the hook auth limiter.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.2`
- Patched version: `2026.3.7`
- Latest published npm version at patch time: `2026.3.2`
## Impact
An unauthenticated network client that could reach `/hooks/*` could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery.
## Fix Commit(s)
- `44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89`
## Verification
- `pnpm check` passed
- `pnpm test:fast` passed
- focused hook regression tests passed
- `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts`
## Release Process Note
npm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @JNX03 for reporting.
osv CVSS3.1
5.3
Vulnerability type
CWE-307
CWE-799
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026