CVE-2026-41333

LOW

OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken

Title source: cna

Description

OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f

[Patch] https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken

Scores

CVSS v3 3.7

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-799

Status published

Products (2)

OpenClaw/OpenClaw < 2026.3.31

OpenClaw/OpenClaw 2026.3.31

Published Apr 23, 2026

Tracked Since Apr 24, 2026