GHSA-25wv-8phj-8p7r: OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths

April 9, 2026

Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths.

Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

References

github.com/advisories/GHSA-25wv-8phj-8p7r
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r

Code Behaviors & Features

Detect and mitigate GHSA-25wv-8phj-8p7r with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →