Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
OpenClaw: Fake Device Tokens Can Bypass Login Limits
GHSA-6p8r-6m93-557f
Summary
The OpenClaw software has a flaw that allows an attacker to bypass the limit on how many times a device can try to log in to a shared account. This could be a problem for companies that use weak passwords, but not as much of a risk for those with strong passwords. To fix this, update OpenClaw to version 2026.3.31 or newer.
What to do
- Update openclaw to version 2026.3.31.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.28 | 2026.3.31 |
Original title
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
Original description
## Summary
Fake DeviceToken Bypasses Shared Auth Rate Limiting
## Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `af0c0862f22ca4492406a3103d05e3628f94cbe9` — 2026-03-31T09:08:57+09:00
## Release Process Note
- The fix is already present in released version `2026.3.31`.
OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
Fake DeviceToken Bypasses Shared Auth Rate Limiting
## Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `af0c0862f22ca4492406a3103d05e3628f94cbe9` — 2026-03-31T09:08:57+09:00
## Release Process Note
- The fix is already present in released version `2026.3.31`.
OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
ghsa CVSS4.0
6.3
Vulnerability type
CWE-307
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026