GHSA-w9f5-8q83-qwpx: Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6p8r-6m93-557f. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.
References
- github.com/advisories/GHSA-w9f5-8q83-qwpx
- github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9
- github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f
- nvd.nist.gov/vuln/detail/CVE-2026-41333
- www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken
Code Behaviors & Features
Detect and mitigate GHSA-w9f5-8q83-qwpx with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →